Fold Ambassador auth functionality into ext_authz #2828
Comments
…563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com>
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
stale
bot
added
the
stale
|
#3162 is progressing through review. I'll make a pass probably tomorrow AM over the checklist above. |
stale
bot
removed
the
stale
This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com>
|
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
stale
bot
added
the
stale
|
cc: @gsagula |
stale
bot
removed
the
stale
|
@richarddli Except with one issue in the raw HTTP auth client, the #2828 is done. Please, see Matt's comment about the current raw HTTP client approach #3888. |
|
OK let's close this and we can track addition work as individual issues. Thank you all! |
|
Thanks all! 😄 |
Ambassador's auth filter (described in #2621) is deliberately more general than the authz mechanism embodied by
external_auth.protoand implemented in #2417. After discussions between Envoy, Tigera, and Datawire folks, it seems that the best way forward is to fold Ambassador's auth functionality into the existing auth filter.This issue will track the work of getting this done. We expect it to comprise multiple PRs, starting with a
data-plane-apiPR.Description:
There are several tasks here:
The auth service needs to be able to control the response back to the downstream client on auth failure.
This should require enabling it in config, and currently will apply only to HTTP requests.
external_auth.prototo allow the auth service to pass back HTTP status, headers, and body on failureThe auth service needs to be able to modify the request that continues downstream on success.
"Modifying the request" here means allowing the auth service to send back HTTP headers to inject into the request as it goes upstream. This will also apply only to HTTP requests, and only headers that have been whitelisted in config will be accepted for injected.
external_auth.prototo allow the auth service to pass HTTP headers to inject on success.The auth service needs to support raw HTTP requests to the auth service, rather than gRPC.
Only the HTTP method and headers will be passed to the auth service: no body will be passed, and no TLS and peer information will be passed (unless
X-Forwarded-*headers are present). The HTTPContent-Lengthheader will be forced to 0.encapsulationattribute, which will default togRPC.The text was updated successfully, but these errors were encountered: