-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ext_authz: support response headers on OK authorization checks #14514
Conversation
Signed-off-by: John Esmet <john.esmet@gmail.com>
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
I'm pulling this out of draft to start getting feedback. I still need to take a pass at the docs and see if/how we can document this feature. |
/lgtm api |
…-on-success Signed-off-by: John Esmet <john.esmet@gmail.com>
@dio CI is green and this is now ready for your critical review, if you don't mind :) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall LGTM. Some notes and requesting integration test if possible.
@@ -70,6 +70,7 @@ New Features | |||
* config: added ability to flush stats when the admin's :ref:`/stats endpoint <operations_admin_interface_stats>` is hit instead of on a timer via :ref:`stats_flush_on_admin <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.stats_flush_on_admin>`. | |||
* config: added new runtime feature `envoy.features.enable_all_deprecated_features` that allows the use of all deprecated features. | |||
* crash support: added the ability to dump L4 connection data on crash. | |||
* ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
While it is in the same spirit, seems like we have two changes here, for gRPC and HTTP implementation. I'm OK to have this in the same PR. For completeness, we need integration tests, since it involves response from the "external service". WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll add another changelog line to capture both the HTTP and gRPC service changes.
I'll look into what it'll take to add an integration test 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took a look and there seems to be an established precedent that other similar features (e.g. allowed_client_headers for HTTP, request_headers_to_add for gRPC, and others) are tested using unit tests and appropriate mocks. I think that if unit tests are OK for those features, they should be good for this one as well. Do you agree?
Having said that, I don't think there are any integration tests for ext_authz (or if there are, I can't find them) so maybe I should look into following up with some work to add those tests down the road. Maybe I'll look at the coverage report to decide if that's worth it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we need to have an integration test to make sure that, for gRPC implementation, when we do sendExtAuthzResponse
(this is done by the authorization service) with this response_headers_to_add
set, the downstream client receives it.
The same applies to the HTTP one, waitForExtAuthzRequest
should provide response header entries that are allowed to be forwarded, and are inserted to response_->headers()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok I'll give that a try
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I now see the integration test for ext_authz - don't know how I missed that before.
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
…success Signed-off-by: John Esmet <john.esmet@gmail.com>
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
…success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
I added an integration test. Please take a look and let me know what you think. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome. Thank you!
@@ -626,6 +640,38 @@ TEST_P(ExtAuthzGrpcIntegrationTest, DenyAtDisableWithMetadata) { | |||
expectFilterDisableCheck(/*deny_at_disable=*/true, /*disable_with_metadata=*/true, "403"); | |||
} | |||
|
|||
TEST_P(ExtAuthzGrpcIntegrationTest, DownstreamHeadersOnSuccess) { | |||
XDS_DEPRECATED_FEATURE_TEST_SKIP; | |||
// Set up ext_authz filter |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Super nit: Some comment lines missing "." at the end.
const auto expected_headers = TestCommon::makeHeaderValueOption( | ||
{{":status", "200", false}, {"x-downstream-ok", "1", false}, {"x-upstream-ok", "1", false}}); | ||
const auto authz_response = TestCommon::makeAuthzResponse( | ||
CheckStatus::OK, Http::Code::OK, "", TestCommon::makeHeaderValueOption({}), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nit. EMPTY_STRING
Signed-off-by: John Esmet <john.esmet@gmail.com>
…n-success Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
/retest |
Retrying Azure Pipelines: |
…proxy#14514) Support adding response headers on OK authorization checks from ext_authz Commit Message: ext_authz: support response headers on OK authorization checks Additional Description: Risk Level: low (opt-in feature, does nothing by default) Testing: Added code to existing unit tests Docs Changes: API protos documented Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. Platform Specific Features: Fixes envoyproxy#7986 Signed-off-by: John Esmet <john.esmet@gmail.com>
…proxy#14514) Support adding response headers on OK authorization checks from ext_authz Commit Message: ext_authz: support response headers on OK authorization checks Additional Description: Risk Level: low (opt-in feature, does nothing by default) Testing: Added code to existing unit tests Docs Changes: API protos documented Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. Platform Specific Features: Fixes envoyproxy#7986 Signed-off-by: John Esmet <john.esmet@gmail.com>
…proxy#14514) Support adding response headers on OK authorization checks from ext_authz Commit Message: ext_authz: support response headers on OK authorization checks Additional Description: Risk Level: low (opt-in feature, does nothing by default) Testing: Added code to existing unit tests Docs Changes: API protos documented Release Notes: ext_authz: added :ref:`response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>` to support sending response headers to downstream clients on OK external authorization checks. Platform Specific Features: Fixes envoyproxy#7986 Signed-off-by: John Esmet <john.esmet@gmail.com>
Support adding response headers on OK authorization checks from ext_authz
Commit Message: ext_authz: support response headers on OK authorization checks
Additional Description:
Risk Level: low (opt-in feature, does nothing by default)
Testing: Added code to existing unit tests
Docs Changes: API protos documented
Release Notes: ext_authz: added :ref:
response_headers_to_add <envoy_v3_api_field_service.auth.v3.OkHttpResponse.response_headers_to_add>
to support sending response headers to downstream clients on OK external authorization checks.Platform Specific Features:
Fixes #7986