authz_filter: configuration to support Ambassador authorization flow #563
Conversation
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
…service auth Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
| @@ -23,4 +23,25 @@ message ExtAuthz { | |||
| // is NOT denied then traffic will be permitted. | |||
| // Defaults to false. | |||
| bool failure_mode_allow = 2; | |||
|
|
|||
| // When this value is set to true, the filter must call an HTTP authorization service only. | |||
| bool use_http_service = 3; | |||
There was a problem hiding this comment.
I think an enum instead of a bool would allow future extensibility
There was a problem hiding this comment.
Better IMO would actually be to make this a oneof and just merge HttpService as one of the options inside the oneof. This is in general what we are trying to do elsewhere. This brings the enum and the "only use if enum is set" logic together. If this impacts the already implemented non-HTTP code I would just go ahead and change it now since IMO I still consider this filter under development.
There was a problem hiding this comment.
Unless I'm missing something, It seems that the impact on the already implemented non-HTTP code would be the same with either enum or oneof.
The ExtAuthz message would look something like this:
message ExtAuthz {
oneof services {
envoy.api.v2.core.GrpcService grpc_service = 1;
HttpService http_service = 3;
}
bool failure_mode_allow = 2;
}
And the decision on which client to use, somewhere here: https://github.com/envoyproxy/envoy/blob/da0dc5f5dac12651f211e321f9cd7b2c70bedde9/source/server/config/http/ext_authz.cc#L17
There was a problem hiding this comment.
The oneof is a simpler way to represent mutually exclusive config when it's more than just a scalar value, i.e. the message. What you have there is basically what it would look like.
| string cluster = 1; | ||
|
|
||
| // Sets the time in milliseconds within the service should respond to an authorization request. | ||
| uint32 timeout_ms = 2; |
There was a problem hiding this comment.
This should be a google.protobuf.Duration.
|
|
||
| // Sets a list of authorization response headers that are allowed to be injected in the | ||
| // downstream client request before dispatching it to the upstream. | ||
| repeated string allowed_headers = 3; |
There was a problem hiding this comment.
Why is this necessary? Don't we trust the authz server to do the right thing?
There was a problem hiding this comment.
I just copied this from the Datawire's filter. It seems to prevent that all authz headers get copied over to the original request. E.g., content-length.
if (!config_->allowed_headers_.empty()) {
// Yup. Let's see if any of them are present.
for (const std::string& allowed_header : config_->allowed_headers_) {
LowerCaseString key(allowed_header);
// OK, do we have this header?
const HeaderEntry* hdr = response->headers().get(key);
if (hdr) {
// Well, the header exists at all. Does it have a value?
const HeaderString& value = hdr->value();
if (!value.empty()) {
// Not empty! Copy it into our request_headers_.
std::string valstr{value.c_str()};
ENVOY_STREAM_LOG(trace, "ExtAuth allowing response header {}: {}", *callbacks_,
allowed_header, valstr);
addedHeaders = true;
request_headers_->addCopy(key, valstr);
}
}
}
@kflynn Would you mind to help us with this one? Thanks!
There was a problem hiding this comment.
@htuch @mattklein123 Folks we've talked to have been less comfortable with given an auth service carte blanche to change anything it wants going upstream, more comfortable with only allowing it to change known things (cf some of the comments around trust on https://docs.google.com/document/d/1L3aRk9yaT6Lsb4epI6rdjCdStOuwTfhoeSP82zunkGg/edit).
There was a problem hiding this comment.
I'm not sure I really buy this. Why would the filter then trust anything the auth service does? Whether the decision, the response, etc.?
There was a problem hiding this comment.
@mattklein123 I think there were three underlying concerns:
-
Bugs in the auth service are always a thing; having some protection in the upstream-modification path is a bit of a safeguard. Same idea as not wanting even your favorite Unix developer run everything as root.
-
Policy enforcement is sometimes a thing. It may be necessary to be able to tell auditors that only this one specific set of modifications can ever happen, unless the following audited process is followed, etc.
-
Finally, sure, malicious auth services might someday be a thing somewhere? but they clearly do not need unchecked upstream-header modification to wreak havoc, so I don't consider protecting against that case to be a major driver for this config element.
There was a problem hiding this comment.
I agree that it seems a bit arbitrary just policing the headers. If we don't trust the auth service, it can do a lot bad things, e.g. inject content in the reply for the body.
I can see that in some applications, you do want to strip headers unconditionally, when something passes between internal <-> external on edge proxies. We could use a separate filter in the stack for this, would that work in your application? It seems if the auth server can't set that header, backends probably shouldn't be trusted to do it either?
| // modified in the original request before it gets sent to the upstream. | ||
| message HttpResponse { | ||
| // Http status code. | ||
| int32 status_code = 1; |
There was a problem hiding this comment.
You probably want to make this consistent with other uses of status code in the API, e.g.
data-plane-api/envoy/api/v2/route/route.proto
Line 582 in 641920a
| @@ -26,4 +26,22 @@ message CheckRequest { | |||
| message CheckResponse { | |||
| // Status `OK` allows the request. Any other status indicates the request should be denied. | |||
| google.rpc.Status status = 1; | |||
|
|
|||
| // An optional message which contains the attributes of an HTTP response object. This message is | |||
There was a problem hiding this comment.
This PR doesn't make clear how exactly this will work. Does the HTTP service send back a proto with this? Or is this an enhancement for the normal gRPC authz service to provide it the same capabilities as the HTTP authz service?
There was a problem hiding this comment.
@htuch This should be an enhancement for the standard gRPC authz service to be able to respond to HTTP downstream client. I'm not sure if we need map<string, string> headers though since gRPC metadata could be used to accomplish the same thing. In this case, have a list of headers that are allowed to be copied or to be modified seems reasonable to me.
There was a problem hiding this comment.
I think it's definitely the right thing for the gRPC authz service to make it explicit here. Metadata is really about the channel between the gRPC authz server and Envoy, it shouldn't be used to provide additional response information.
| message HttpService { | ||
|
|
||
| // Sets the cluster name which the authorization request must be sent to. | ||
| string cluster = 1; |
There was a problem hiding this comment.
you can mandate this be set. see https://github.com/gsagula/data-plane-api/blob/339db0e1225d31e13ea3d35e7a8459abfbda3970/envoy/api/v2/core/grpc_service.proto#L25
Do you think there would ever be a need for a TLS configuration and also could the http service be made a core service (like grpc_service). (Not asking for you to change anything but thinking out loud).
There was a problem hiding this comment.
TLS config is configured at the cluster level, so I think this is covered.
| // E.g., when the authorization status is not OK, this message can be used by the authorization | ||
| // service to the tell the filter to respond with specific HTTP headers, body, and status code. | ||
| // When the authorization status is OK, this object may include the headers that should be | ||
| // modified in the original request before it gets sent to the upstream. |
There was a problem hiding this comment.
Is the desired behavior that the headers specified here would ONLY modify existing headers in the original request? Could it be that the service could add new headers to the request.
Would it make sense for the authz server to send all the headers that should be sent upstream. So if headers is there then those are the only headers that would get forwarded to upstream? Or can the authz server not have enough context to do that.
There was a problem hiding this comment.
@saumoh Sorry for these confusing words. Yes, it should allow modifying the existing headers as well as inject new ones. I will rephrase all this comment. Thanks for pointing this out.
| // An optional message which contains the attributes of an HTTP response object. This message is | ||
| // particularly useful when the authorization service needs to send specific responses to the | ||
| // downstream client or to modify the request headers before dispatching them to the upstream. | ||
| // E.g., when the authorization status is not OK, this message can be used by the authorization |
There was a problem hiding this comment.
Could you clarify the behavior when the response does not include a HttpResponse at all for both OK and not OK cases. I assume that there is no expectation for a HttpResponse to be there and in that case the behavior will not change from what is there today... right?
There was a problem hiding this comment.
That's right if no extra attributes are passed from a gRPC authz service to the filter, the behavior should continue the same.
| @@ -23,4 +23,25 @@ message ExtAuthz { | |||
| // is NOT denied then traffic will be permitted. | |||
| // Defaults to false. | |||
| bool failure_mode_allow = 2; | |||
|
|
|||
| // When this value is set to true, the filter must call an HTTP authorization service only. | |||
| bool use_http_service = 3; | |||
There was a problem hiding this comment.
Better IMO would actually be to make this a oneof and just merge HttpService as one of the options inside the oneof. This is in general what we are trying to do elsewhere. This brings the enum and the "only use if enum is set" logic together. If this impacts the already implemented non-HTTP code I would just go ahead and change it now since IMO I still consider this filter under development.
| message HttpService { | ||
|
|
||
| // Sets the cluster name which the authorization request must be sent to. | ||
| string cluster = 1; |
There was a problem hiding this comment.
TLS config is configured at the cluster level, so I think this is covered.
|
|
||
| // Sets a list of authorization response headers that are allowed to be injected in the | ||
| // downstream client request before dispatching it to the upstream. | ||
| repeated string allowed_headers = 3; |
|
@htuch @saumoh @mattklein123 @ggreenway Thank you for the review. These are all super valuable questions. Give me some time to review the design, and start to answer all the above. |
htuch
changed the title
|
Per https://github.com/envoyproxy/data-plane-api/issues/458, do you mind moving the config definition to v2alpha, assuming the implementation is not following the API update immediately, or if there is a chance of backwards-incompatible changes. |
|
@kyessenov I will do it. |
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
|
@htuch @kyessenov @mattklein123 Thanks for the initial review. Please, feel free to take another look whenever you get a chance. |
| // The external authorization HTTP service configuration. | ||
| message HttpService { | ||
| // Sets the cluster name which the authorization request must be sent to. | ||
| string cluster = 1; |
There was a problem hiding this comment.
Wondering if https://github.com/envoyproxy/data-plane-api/blob/master/envoy/api/v2/core/http_uri.proto#L9 would be appropriate here. Leaning towards saying "no", since we are probably not making arbitrary HTTP calls and can statically configure the service, but if we want to leave room for growing to a dynamic auth service resolution later, then HttpUri might be appropriate.
There was a problem hiding this comment.
As far as it is compatible with the previous design, which seems that it is, I think HttpUri makes sense. I'm not entirely sure about what this change though.
| HttpService http_service = 3; | ||
| } | ||
|
|
||
| bool failure_mode_allow = 2; |
|
|
||
| // [#proto-status: draft] | ||
|
|
||
| package envoy.service.auth.v2alpha; |
There was a problem hiding this comment.
These are just copies from the existing protos? How come the existing ones aren't being deleted (i.e. this isn't a move)?
There was a problem hiding this comment.
Yes, I just copied them. I wasn't 100% sure if I should delete the old ones.
Signed-off-by: Gabriel <[email protected]>
Signed-off-by: Gabriel <[email protected]>
|
LGTM, thanks for the patience during iteration. @saumoh @kyessenov @kflynn I'll merge once you folks sign-off. |
|
|
||
| // Sets the time, in milliseconds, within the service should respond to an authorization | ||
| // request. | ||
| google.protobuf.Duration timeout = 2 [(gogoproto.stdduration) = true]; |
There was a problem hiding this comment.
Thoughts on merging this into HttpUri? Everyone needs this.
There was a problem hiding this comment.
Good point. I will do it.
|
Also, heads up on this PR: envoyproxy/envoy#2915 |
| envoy.api.v2.core.GrpcService grpc_service = 1; | ||
|
|
||
| // The external authorization HTTP service configuration. | ||
| HttpService http_service = 3; |
There was a problem hiding this comment.
Is it ok to re-index them? bool failure_mode_allow = 3?
There was a problem hiding this comment.
you are right oneof doesn't encapsulate the messages under it. We can leave it as is.
| syntax = "proto3"; | ||
|
|
||
| package envoy.config.filter.http.ext_authz.v2alpha; | ||
| option go_package = "v2"; |
There was a problem hiding this comment.
can you please change this to v2alpha?
| @@ -2,13 +2,14 @@ syntax = "proto3"; | |||
|
|
|||
| // [#proto-status: draft] | |||
|
|
|||
| package envoy.service.auth.v2; | |||
| package envoy.service.auth.v2alpha; | |||
| option go_package = "v2"; | |||
There was a problem hiding this comment.
same here, v2alpha instead of v2
|
Thanks, everyone for the reviews! I will do these changes later today. |
Signed-off-by: Gabriel <[email protected]>
|
Please, feel free to take another look. Thanks! |
| @@ -34,4 +38,7 @@ message HttpUri { | |||
| // | |||
| string cluster = 2 [(validate.rules).string.min_bytes = 1]; | |||
| } | |||
|
|
|||
| // Sets the maximum duration in milliseconds that a response can take to arrive upon request. | |||
There was a problem hiding this comment.
What's the default if not specified?
There was a problem hiding this comment.
Would be better to make this required and >= 0? It's not clear to me when/how to enforce the default value.
Signed-off-by: Gabriel <[email protected]>
This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <[email protected]>
This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: #563 Signed-off-by: Gabriel <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc
This PR includes the necessary modifications in support of envoyproxy/envoy#2828.
Added additional configuration to
ext_authz.protoso that the filter is able to call an HTTP/1.1 authorization service.In
external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter.