ext_authz: Allow to emit dynamic metadata #11820
Conversation
This patch enables ext_authz backed with gRPC service to emit metadata. The authorization can set the dynamic metadata (an opaque google.protobuf.Struct) as part of the `CheckResponse` when it is successful (i.e. when `http_response` is `OkHttpResponse`). Signed-off-by: Dhi Aurrahman <[email protected]>
|
cc. @erikbos |
|
/azp run envoy-presubmit |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Dhi Aurrahman <[email protected]>
| @@ -69,6 +70,9 @@ message OkHttpResponse { | |||
| // by Leaving `append` as false, the filter will either add a new header, or override an existing | |||
| // one if there is a match. | |||
| repeated config.core.v3.HeaderValueOption headers = 2; | |||
|
|
|||
| // Optional response metadata that will be emitted as dynamic metadata. | |||
There was a problem hiding this comment.
Which part of the dynamic metadata keyspace does this live?
There was a problem hiding this comment.
If I catch your question correctly: for HTTP filter, HttpFilterNames::get().ExtAuthorization (envoy.filters.http.ext_authz) while for the network one: NetworkFilterNames::get().ExtAuthorization (envoy.filters.network.ext_authz)
There was a problem hiding this comment.
I think we should document these namespaces in the proto where the emit_dynamic_metadata can be enabled. And perhaps refer to those configs here?
There was a problem hiding this comment.
Yeah, can we spell this out explicitly in the docs? Thanks. Otherwise LGTM for API.
|
|
||
| // A set of metadata returned by the authorization server, that will be emitted as filter's | ||
| // dynamic metadata that other filters can leverage. | ||
| ProtobufWkt::Struct dynamic_metadata{}; |
There was a problem hiding this comment.
Yeah. I was lazy to explicitly initialize some Response objects in source/extensions/filters/common/ext_authz/ext_authz_http_impl.cc.
| @@ -51,4 +51,7 @@ message ExtAuthz { | |||
| // version of Check{Request,Response} used on the wire. | |||
| config.core.v3.ApiVersion transport_api_version = 5 | |||
| [(validate.rules).enum = {defined_only: true}]; | |||
|
|
|||
| // Flag to specify whether dynamic metadata should be emitted. Defaults to false. | |||
There was a problem hiding this comment.
Do we really need this flag? What is the use case that you want configure this to false when an ext_authz server is returning metadata?
There was a problem hiding this comment.
When there is no subsequent filter to actually consume the metadata (i.e. when ext_authz is the sole gatekeeper).
There was a problem hiding this comment.
Then shouldn't the ext_authz server just be configured to not return metadata? (which also avoid the metadata on the wire for efficiency)
There was a problem hiding this comment.
That’s a fair observation. I will remove this field and update the docs then. Thanks for the input!
Signed-off-by: Dhi Aurrahman <[email protected]>
Signed-off-by: Dhi Aurrahman <[email protected]>
Signed-off-by: Dhi Aurrahman <[email protected]>
|
/azp run envoy-presubmit |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
/azp run envoy-presubmit |
|
Azure Pipelines successfully started running 1 pipeline(s). |
Signed-off-by: Dhi Aurrahman <[email protected]>
Signed-off-by: Dhi Aurrahman <[email protected]>
Signed-off-by: Dhi Aurrahman <[email protected]>
|
/azp run envoy-presubmit |
|
Azure Pipelines successfully started running 1 pipeline(s). |
|
@lizan, sorry, do I still need to introduce more fixes in this PR? Thanks! |
This patch enables ext_authz backed with gRPC service to emit metadata. The authorization can set the dynamic metadata (an opaque google.protobuf.Struct) as part of the `CheckResponse` when it is successful (i.e. when `http_response` is `OkHttpResponse`). Signed-off-by: Dhi Aurrahman <[email protected]> Signed-off-by: Kevin Baichoo <[email protected]>
This patch enables ext_authz backed with gRPC service to emit metadata. The authorization can set the dynamic metadata (an opaque google.protobuf.Struct) as part of the `CheckResponse` when it is successful (i.e. when `http_response` is `OkHttpResponse`). Signed-off-by: Dhi Aurrahman <[email protected]> Signed-off-by: scheler <[email protected]>
|
@dio : Thanks for adding Dynamic Metadata in ext_auth response , but its still not available in |
|
The current latest release of go-control-plane, 0.9.6, does not yet include the proto & structs definitions for this. You'll will have to use go-control-plane |
|
Thanks much @erikbos , It worked . |
Commit Message:
This patch enables ext_authz backed with gRPC service to emit metadata. The gRPC authorization server can set the dynamic metadata (an opaque
google.protobuf.Struct) as part of theCheckResponsewhen it is successful (i.e. whenhttp_responseisOkHttpResponse).Risk Level: Low
Testing: Unit.
Docs Changes: Added.
Release Notes: Added.
Fixes #9049
Signed-off-by: Dhi Aurrahman [email protected]