Tetrate Istio Subscription PlusVersion: Latest

Policy Bindings

The differences between TSB and Tetrate Istio Subscription Plus (TIS+)

Tetrate Istio Subscription Plus (TIS+) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions.

Access Policy Bindings.

Binding

A binding associates a role with a set of subjects.

Bindings are used to configure policies, where different roles can be assigned to different sets of subjects to configure a fine-grained access control to the resource protected by the policy.

Field	Description	Validation Rule
role	string REQUIRED The role that defines the permissions that will be granted to the target resource.	string = { min_len: `1` }
subjects	List of tetrateio.api.tsb.rbac.v2.Subject The set of subjects that will be allowed to access the target resource with the permissions defined by the role.	–

Subject

Subject identifies a user or a team under an organization. Roles are assigned to subjects for specific resources in the system.

Field	Description	Validation Rule
user	string ^{oneof _sub} A user in TSB, created through LDAP sync or API. Must use the fully-qualified name (fqn) of the user. E.g. organization/myorg/users/alice	–
team	string ^{oneof _sub} A team in TSB, created through LDAP sync or API. Must use the fully-qualified name (fqn) of the team. E.g. organization/myorg/teams/t1	–
serviceAccount	string ^{oneof _sub} A service account in TSB. Must use the fully-qualified name (fqn) of the service account. E.g. organization/myorg/serviceaccounts/sa1	–

RequiredPermission

Configures the sets of permissions that are required to invoke the method where this option is applied.

Field	Description	Validation Rule
permissions	List of tetrateio.api.tsb.rbac.v2.Permission The required set of permissions. The full name of each permission (such as ReadApplication) will be inferred from the name of the method where this option is applied.	–
rawPermissions	List of string Set of raw permission names values. Only use this if the method being protected does not follow the common naming convention and the proper name of the permission cannot be inferred just by using the Permission enum and the method name.	–
deferPermissionCheckToApplication	bool When this flag is set to true, the permission checks will not be made at the API surface. This is usually needed when there is not an explicit set of permissions that can be preconfigured for the API methods, so the access control checks will be implemented at runtime by the application. The default value is 'false' and will only be taken into account if the permission properties are empty. If any permission is set, this flag will be ignored.	–
baseProto	string The base proto message that the permissions are scoped at. This needs to be used with `tetrateio.api.tsb.types.v2.TypeInfo.permissions_scoped_at` to be able to mark a service or a method to generate scoped permissions.	–

Binding​

Subject​

RequiredPermission​

Binding

Subject

RequiredPermission