Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support per route config for basic auth http filter #32550

Closed
fgouteroux opened this issue Feb 23, 2024 · 5 comments · Fixed by #33335
Closed

Support per route config for basic auth http filter #32550

fgouteroux opened this issue Feb 23, 2024 · 5 comments · Fixed by #33335
Labels
area/basic_auth help wanted Needs help!

Comments

@fgouteroux
Copy link

fgouteroux commented Feb 23, 2024
edited

Hi,

I would ask for an update of the basic auth http filter (#30079) to support per route config.

The use case is the following, I need to disable the basic auth filter in some routes and to allow differents source of users.

Maybe something like:

routes config

routes:
# route  with basic auth users
- match: { prefix: "/users" }
  route: { cluster: my-cluster }
  typed_per_filter_config:
    envoy.filters.http.basic_auth:
      "@type": type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuthPerRoute
      name: users.htpasswd

# route with basic auth admins
- match: { prefix: "/admins" }
  route: { cluster: my-cluster }
  typed_per_filter_config:
    envoy.filters.http.basic_auth:
      "@type": type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuthPerRoute
      name: admins.htpasswd

# route with no basic auth
- match: { prefix: "/" }
  route: { cluster: my-cluster }
  typed_per_filter_config:
    envoy.filters.http.basic_auth:
      "@type": type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuthPerRoute
      disabled: true

http filters config

http_filters:
- name: envoy.filters.http.basic_auth
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.basic_auth.v3.BasicAuth
    source_users:
      users.htpasswd
        filename: /etc/envoy/users.htpasswd
      admins.htpasswd
        filename: /etc/envoy/admins.htpasswd

cc @zhaohuabing
@fgouteroux fgouteroux added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Feb 23, 2024
@mattklein123 mattklein123 added area/basic_auth help wanted Needs help! and removed enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels Feb 27, 2024
@jewertow
Copy link
Contributor

I can try to implement this feature if you did not start yet.

@jewertow
Copy link
Contributor

JFYI: I make a progress, I will submit a PR soon.

@jewertow jewertow mentioned this issue Apr 4, 2024
Merged
@zhaohuabing
Copy link
Member

I realized that forward_username_header can't be set per route when applying this in Envoy Gateway. I would like to add it to the per-route config as well.

If this makes sense, I'm going to work on it.

WDYT? @wbpcode @jewertow

@jewertow
Copy link
Contributor

jewertow commented May 6, 2024

@zhaohuabing I didn't include that setting in per-route settings, because I wasn't sure if there is such a use case, but I do not see any reason to not support it in per-route filter.

@zhaohuabing
Copy link
Member

zhaohuabing commented May 6, 2024
edited

@jewertow I need this because I'm trying to implement per-route config for BasicAuth in the EG SecurityPolicy.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/basic_auth help wanted Needs help!
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

basic_auth: add support for per-route filter jewertow/envoy
4 participants
@zhaohuabing @fgouteroux @mattklein123 @jewertow