Multiple identity roles for a single service policy

1
  • dial policies allow identities to access a service
  • access can be handled by referencing an identities role-attribute as the dial policies service roles
  • the below command shows a reachable service, then me attempting to update the dial policy to have multiple service roles. What am I doing wrong? Did I pass wrong format for argument?
  • using cli

1. With one attribute per service policy

  • dial policy only using one attribute #demo-identity-group in identity roles
  • policy advisor shows service can be reached
# ziti edge list service-policies
╭────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────┬──────────┬────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────┬─────────────────────╮
│ ID                     │ NAME                                                                                                  │ SEMANTIC │ SERVICE ROLES                                                                                      │ IDENTITY ROLES                                         │ POSTURE CHECK ROLES │
├────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼──────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────┼─────────────────────┤
│ 51QEXUYjOAxeG8EiNgOk8y │ demo-dial-policy                                                                                      │ AllOf    │ @demo-service                                                                                      │ #demo-identity-group                                   │                     │
│ 5oRw5UKWSyjJeVZ4xDHzgE │ demo-bind-policy                                                                                      │ AllOf    │ @demo-service                                                                                      │ #demo-router-group                                     │                     │
╰────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────┴──────────┴────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────┴─────────────────────╯

# ziti edge policy-advisor services trino-demo-service -q
OKAY : demo-router (3) -> demo-service (3) Common Routers: (3/3) Dial: N Bind: Y

OKAY : demo (3) -> demo-service (3) Common Routers: (3/3) Dial: Y Bind: N

OKAY : client (3) -> demo-service (3) Common Routers: (3/3) Dial: Y Bind:

2. With 2 attributes in dial policy

  • policy advisor shows service cannot be accessed
# ziti edge update service-policy  trino-demo-dial-policy --identity-roles '#demo-identity-group,#group2'
# ziti edge policy-advisor services trino-demo-service -q
OKAY : demo (3) -> trino-demo-service (3) Common Routers: (3/3) Dial: N Bind: Y

# ziti edge list service-policies
╭────────────────────────┬───────────────────────────────────────────────────────────────────────────────────────────────────────┬──────────┬────────────────────────────────────────────────────────────────────────────────────────────────────┬────────────────────────────────────────────────────────┬─────────────────────╮
│ ID                     │ NAME                                                                                                  │ SEMANTIC │ SERVICE ROLES                                                                                      │ IDENTITY ROLES                                         │ POSTURE CHECK ROLES │
├────────────────────────┼───────────────────────────────────────────────────────────────────────────────────────────────────────┼──────────┼────────────────────────────────────────────────────────────────────────────────────────────────────┼────────────────────────────────────────────────────────┼─────────────────────┤
│ 51QEXUYjOAxeG8EiNgOk8y │ demo-dial-policy                                                                                      │ AllOf    │ @demo-service                                                                                      │ #demo-identity-group #group01                          │                     │
│ 5oRw5UKWSyjJeVZ4xDHzgE │ demo-bind-policy                                                                                      │ AllOf    │ @demo-service                                                                                      │ #demo-router-group                                     │                     │
╰────────────────────────┴───────────────────────────────────────────────────────────────────────────────────────────────────────┴──────────┴────────────────────────────────────────────────────────────────────────────────────────────────────┴────────────────────────────────────────────────────────┴─────────────────────╯
2

Upon doing some more digging into the docs. I believe it is the semantic value for the service-policy that is my problem.

  • The allOf semantic will include only entities have all the listed role attributes
  • The anyOf semantic will include all entities that have any of the listed role attributes

Will try to change this fix.

3

Yep that was the exact issue.
Recreated the service-policy, as it doesn't look like the semantic can be updated.


ziti edge create service-policy "$DIAL_POLICY_NAME" Dial --service-roles "@$SERVICE_NAME" --identity-roles "#$IDENTITY_GROUP1,#$IDENTITY_GROUP2" --semantic AnyOf
1 Like
4

Hi @yemaney , glad you figured it out. We're considering changing the default semantic for new service policy to be anyOf, since that's what most people seem to expect.

cheers,
Paul