Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PerRouteConfig of JWT with requirement_map can't clear cache #34111

Open
YvesZHI opened this issue May 13, 2024 · 1 comment
Open

PerRouteConfig of JWT with requirement_map can't clear cache #34111

YvesZHI opened this issue May 13, 2024 · 1 comment
Labels
area/jwt_authn

Comments

@YvesZHI
Copy link

YvesZHI commented May 13, 2024
edited

I'm trying to make Envoy route requests with JWT. The payload of JWT contains a pair of KV: "role": "user" or "role": "grayUser".

The route rule is

if role == user
    goto endpointA
else if role == grayUser
    goto endpointB

Here is my config of Envoy:

static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address:
        address: 0.0.0.0
        port_value: 18000
    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          http_filters:
          - name: envoy.filters.http.jwt_authn
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                sso_jwt_provider:
                  local_jwks:
                    filename: /conf/envoy/jwks.json
                  from_headers:
                  - name: X-Authorization
                  payload_in_metadata: jwt_payload
                  clear_route_cache: true    ######## NOT working with PerRouteConfig of JWT???
              rules:
              - match:
                  prefix: /
                requires:
                  provider_name: sso_jwt_provider
#              requirement_map:
#                general: {provider_name: sso_jwt_provider}
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: local_route
            virtual_hosts:
            - name: exception_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                  dynamic_metadata:
                  - filter: envoy.filters.http.jwt_authn
                    path:
                    - key: jwt_payload
                    - key: role
                    value:
                      string_match:
                        exact: "loginUser"
                route:
                  cluster: service_addmachine
                  timeout: 5s
                  metadata_match:
                    filter_metadata:
                      envoy.lb:
                        canary: 0
#                typed_per_filter_config:
#                  envoy.filters.http.jwt_authn:
#                    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
#                    "requirement_name": general
              - match:
                  prefix: "/"
                  dynamic_metadata:
                  - filter: envoy.filters.http.jwt_authn
                    path:
                    - key: jwt_payload
                    - key: role
                    value:
                      string_match:
                        exact: "grayLoginUser"
                route:
                  cluster: service_addmachine
                  timeout: 5s
                  metadata_match:
                    filter_metadata:
                      envoy.lb:
                        canary: 1
#                typed_per_filter_config:
#                  envoy.filters.http.jwt_authn:
#                    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
#                    "requirement_name": general
  clusters:
  - name: service_addmachine
    connect_timeout: 30s
    type: STATIC
    lb_policy: ROUND_ROBIN
    load_assignment:
      cluster_name: service_addmachine
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 20000
          metadata:
            filter_metadata:
              envoy.lb:
                canary: 0
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 20001
          metadata:
            filter_metadata:
              envoy.lb:
                canary: 1

It works as expected. I could test it with the command curl -H 'X-Authorization: xxx' 'http://127.0.0.1:18000'.

However, if I use the per-route config of JWT. I will get the NR error, whch means "no route found".

    filter_chains:
    - filters:
      - name: envoy.filters.network.http_connection_manager
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          stat_prefix: ingress_http
          http_filters:
          - name: envoy.filters.http.jwt_authn
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
              providers:
                sso_jwt_provider:
                  local_jwks:
                    filename: /conf/envoy/jwks.json
                  from_headers:
                  - name: X-Authorization
                  payload_in_metadata: jwt_payload
                  clear_route_cache: true
#            rules:
#            - match:
#                 prefix: /
#               requires:
#                  provider_name: sso_jwt_provider
              requirement_map:
                general: {provider_name: sso_jwt_provider}
          - name: envoy.filters.http.router
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
          route_config:
            name: local_route
            virtual_hosts:
            - name: exception_service
              domains: ["*"]
              routes:
              - match:
                  prefix: "/"
                  dynamic_metadata:
                  - filter: envoy.filters.http.jwt_authn
                    path:
                    - key: jwt_payload
                    - key: role
                    value:
                      string_match:
                        exact: "loginUser"
                route:
                  cluster: service_addmachine
                  timeout: 5s
                  metadata_match:
                    filter_metadata:
                      envoy.lb:
                        canary: 0
                typed_per_filter_config:
                  envoy.filters.http.jwt_authn:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
                    "requirement_name": general
              - match:
                  prefix: "/"
                  dynamic_metadata:
                  - filter: envoy.filters.http.jwt_authn
                    path:
                    - key: jwt_payload
                    - key: role
                    value:
                      string_match:
                        exact: "grayLoginUser"
                route:
                  cluster: service_addmachine
                  timeout: 5s
                  metadata_match:
                    filter_metadata:
                      envoy.lb:
                        canary: 1
                typed_per_filter_config:
                  envoy.filters.http.jwt_authn:
                    "@type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.PerRouteConfig
                    "requirement_name": general

As you see, I comment the rules part under JWT and decomment the requirement_map and all of typed_per_filter_config under the route_config

After reading this issue: #19910, I'm thinking if this is a bug about clear_route_cache?
@YvesZHI YvesZHI added the triage Issue requires triage label May 13, 2024
@ravenblackx ravenblackx added area/jwt_authn and removed triage Issue requires triage labels May 13, 2024
@ravenblackx
Copy link
Contributor

@TAOXUY ?

@YvesZHI YvesZHI mentioned this issue May 16, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/jwt_authn
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ravenblackx @YvesZHI