Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bypass Authentication via Configuration #174

Closed
plombardi89 opened this issue Dec 13, 2017 · 4 comments
Closed

Bypass Authentication via Configuration #174

plombardi89 opened this issue Dec 13, 2017 · 4 comments

Comments

@plombardi89
Copy link
Contributor

plombardi89 commented Dec 13, 2017

Many types of services need to be public or universally accessible without an authentication or authorization check. For example, Datawire's Scout service.

Another use case is dynamically generated hosts or paths, for example, using Forge it is common to use the {{ service.name }}-{{ branch.name }} strategy to provide independent URL's to access development versions of a service. Asking developers to continually update a rules table for that kind of information seems like a pain.

To accomodate these use cases with the external auth module in Ambassador currently the module developer needs to create a way for developers to specify whitelist rules. Some strategies include updating an in-memory data structure such as a set of ignorable Hosts and Paths. Another idea might be an external database or some other piece of shared storage. The service author can then read and use that configuration to configure whitelist rules. However, this is not ideal... it puts a burden on the external auth developer to think about this functionality up front and also exposes a less than ideal UX.'

It would be preferable if Ambassador's configuration mechanism could specify whitelist properties that would tell Envoy to skip routing to the Auth service in certain cases, for example.

The bypass mechanism ideally should support host header and URL paths.

@richarddli
Copy link
Contributor

This is now supported in Envoy, we can do this. Per @gsagula current Ambassador 0.50 Envoy already has the necessary code:

https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/ext_authz_filter.html?highlight=authz#per-route-configuration

@kflynn
Copy link
Member

kflynn commented Jan 7, 2019

Note #329, which asked about supporting regexes in the configuration of which mapping gets which auth. (Whether this can be supported is a question of the underlying Envoy support, of course.)

@patricksanders
Copy link
Contributor

I've started exploring this a bit, but I ran into an error:

gRPC config for type.googleapis.com/envoy.api.v2.Listener rejected: Error adding/updating listener ambassador-listener-443: Unable to parse JSON as proto (INVALID_ARGUMENT:(route_config.virtual_hosts[0].routes[3].route) per_filter_config: Cannot find field.)

This is the relevant snippet of the Envoy config that's generated:

{
  "route": {
    "per_filter_config": {
      "envoy.ext_authz": {
        "disabled": true
      }
    },
    "timeout": "3.000s",
    "weighted_clusters": {
      "clusters": [
        {
          "weight": 100,
          "name": "cluster_httpbin_org_80"
        }
      ]
    },
    "priority": null,
    "prefix_rewrite": "/",
    "host_rewrite": "httpbin.org"
  },
  "match": {
    "prefix": "/httpbin/ip",
    "headers": [
      {
        "exact_match": "[snip]:8443",
        "name": ":authority"
      }
    ],
    "case_sensitive": true
  }
}

As far as I can tell, this is a valid config based on the docs. Is there anyone who's more familiar with configuring Envoy that could point me in the right direction here?

For reference, here are the changes I've made compared to 0.50.0 (still a very early WIP): release/0.50.0...patricksanders:patricksanders/feature/auth-bypass

@gsagula
Copy link
Contributor

gsagula commented Jan 17, 2019

As per Slack conversation, the correct way to use routes and per_filter_config:

{
  "routes": [
    {
      "match": {
        "prefix": "/foo"
      },
      "route": {
        "cluster": "foo"
      },
      "per_filter_config": {
        "envoy.ext_authz": {
          "disabled": true
        }
      }
    },
    {
      "match": {
        "prefix": "/bar"
      },
      "route": {
        "cluster": "bar"
      }
    }
  ]
}

LukeShu pushed a commit that referenced this issue Sep 6, 2019
implement some very basic ready and health probes
ark3 pushed a commit that referenced this issue Jan 8, 2020
[GA] Run a broken link checker from CI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants