refactor istio.io security page Authz part

xulingqing · xulingqing · commit b2c4dd1d6861 · 2021-08-09T11:35:04.000-07:00
diff --git a/content/en/docs/concepts/security/index.md b/content/en/docs/concepts/security/index.md
@@ -522,8 +522,6 @@ the following benefits:
 - High performance: Istio authorization (`ALLOW` and `DENY`) is enforced natively on Envoy.
 - High compatibility: supports gRPC, HTTP, HTTPS and HTTP/2 natively, as well as any plain TCP protocols.
 
-### Authorization architecture
-
 The authorization policy enforces access control to the inbound traffic in the
 server side Envoy proxy. Each Envoy proxy runs an authorization engine that authorizes requests at
 runtime. When a request comes to the proxy, the authorization engine evaluates
@@ -536,26 +534,16 @@ authorization policies using `.yaml` files.
     caption="Authorization Architecture"
     >}}
 
-### Implicit enablement
-
-You don't need to explicitly enable Istio's authorization features; they are available after installation.
-To enforce access control to your workloads, you apply an authorization policy.
-
-For workloads without authorization policies applied, Istio allows all requests.
-
-Authorization policies support `ALLOW`, `DENY` and `CUSTOM` actions. You can apply multiple policies, each with a
-different action, as needed to secure access to your workloads.
+### Policy Precedence
 
-Istio checks for matching policies in layers, in this order: `CUSTOM`, `DENY`, and then `ALLOW`. For each type of action,
-Istio first checks if there is a policy with the action applied, and then checks if the request matches the policy's
-specification. If a request doesn't match a policy in one of the layers, the check continues to the next layer.
+Authorization features are implicitly enabled. For workloads without authorization policies applied, Istio allows all requests.
+To enforce access control to your workloads, you may apply one or multiple authorization policies with `ALLOW`, `DENY` and `CUSTOM` actions.
+When you apply multiple authorization policies to the same workload, Istio applies them additively.
 
-The following graph shows the policy precedence in detail:
+Istio checks for matching policies in layers by the order: `CUSTOM`, `DENY`, `ALLOW`. The following graph shows the policy precedence in detail:
 
 {{< image width="50%" link="./authz-eval.png" caption="Authorization Policy Precedence">}}
 
-When you apply multiple authorization policies to the same workload, Istio applies them additively.
-
 ### Authorization policies
 
 To configure an authorization policy, you create an
