Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ext_authz should not change the default admittance behavior #35610

Closed
yanavlasov opened this issue Aug 6, 2024 · 5 comments · Fixed by #35637
Closed

ext_authz should not change the default admittance behavior #35610

yanavlasov opened this issue Aug 6, 2024 · 5 comments · Fixed by #35637
Labels
area/ext_authz bug

Comments

@yanavlasov
Copy link
Contributor

yanavlasov commented Aug 6, 2024
edited
Loading

PR #34951 made a change where only two gRPC errors by default are treated as "access denied" errors. The reset are treated as infrastructure errors, subject to the fail-open configuration option.

This can result in a behavior change when upgrading the version of Envoy that contains this change. For example if ext_authz server is returning the CANCELLED error (i.e. due to exceeding a rate limit), then before Envoy would deny the request, and after upgrade it would allow it if it is configured to fail open.

This would lead to the bypass of the authorization policy.

Operators may miss this change, if their qualification tests are returning PERMISSION_DENIED status and do not test for conditions where other status codes may be returned.

In general the existing behavior of the security enforcement point can not be altered, as it can lead to unintentional changes to the policy application.
@yanavlasov yanavlasov added bug triage Issue requires triage area/ext_authz and removed triage Issue requires triage labels Aug 6, 2024
@yanavlasov
Copy link
Contributor Author

Adding @konstantin-baidin-y42 as PR author

@konstantin-baidin-y42
Copy link
Contributor

I think there is a confusion. The old behavior was to treat all gRPC errors as "access denied", so fail-open setting was broken because codes like "unavailable" and internal error were considered as "access denied".

The key change of my PR is here https://github.com/envoyproxy/envoy/pull/34951/files#diff-c21d3f52d2ab9b9b72049be64abc353ac630adfd5729d376d7f32e6ba5897e76L117

You can see, that the old behaviour was to consider any non-OK response as "access denied". So my PR does the opposite of what you say.

@konstantin-baidin-y42
Copy link
Contributor

the old behavior where only PERMISSION_DENIED and UNAUTHENTICATED are considered as access denied responses

This is literally the new behaviour, not the old one.

@yanavlasov yanavlasov mentioned this issue Aug 8, 2024
Merged
@yanavlasov yanavlasov changed the title ext_authz should not treat all gRPC errors as "access denied" ext_authz should not change the default admittance behavior Aug 8, 2024
@yanavlasov
Copy link
Contributor Author

@konstantin-baidin-y42 you are correct. I have misdiagnosed our internal problem. However the Issue still stands. I have updated the description to correctly describe the problem.

@yanavlasov
Copy link
Contributor Author

I have been too hasty in filing this Issue as it is a security problem and it is older than 7 days allowed by the policy. We are treating it as a 0-day on main branch, with rollback and announcement.

asingh-g pushed a commit to asingh-g/envoy that referenced this issue Aug 20, 2024
@yanavlasov @asingh-g
Revert "external authz: Interpret error grpc codes of the external au…
ec960e2 
…thz server as failure to fix failure_mode_allowed feature (envoyproxy#34951)" (envoyproxy#35637)

Fixes envoyproxy#35610
Fixes commit envoyproxy#34951

Signed-off-by: Yan Avlasov <[email protected]>
Signed-off-by: asingh-g <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/ext_authz bug
Projects
None yet
Milestone
No milestone
2 participants
@yanavlasov @konstantin-baidin-y42