ext_authz: allow headers propagation when allow_debugging_failures is set #24845
Conversation
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
agrawroh
force-pushed
the
extauthz-error-allow-headers
branch
2 times, most recently
from
7e6168e
to
f5fc138
Compare
|
/retest |
|
cc @mattklein123 for API change and quick review to this design. |
agrawroh
force-pushed
the
extauthz-error-allow-headers
branch
from
f5fc138
to
6021b8d
Compare
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
agrawroh
force-pushed
the
extauthz-error-allow-headers
branch
from
6021b8d
to
6ccd206
Compare
| // | ||
| // 2. When set to false, the filter would return a 403 or `status_on_error` (if set) and would | ||
| // not propagate any response body or headers back to the client. This is the default behavior. | ||
| bool allow_debugging_failures = 18; |
There was a problem hiding this comment.
I think I would name this propagate_response_on_failure ?
Also, is this feature HTTP specific as it seems to pivot on 5xx? Should this actually be part of the HttpService object vs. global?
There was a problem hiding this comment.
What about adding a field analogous to allowed_headers for allowed_response_headers?
There was a problem hiding this comment.
Also, is this feature HTTP specific as it seems to pivot on 5xx? Should this actually be part of the HttpService object vs. global?
Sounds reasonable.
There was a problem hiding this comment.
Thanks, @mattklein123. That sounds reasonable to me as well.
@ggreenway Sorry, I'm not able to understand the intention behind adding allowed_response_header. Is the idea to limit what could be propagated back to the client when there are failures? We expose two lists allowed_client_headers and allowed_upstream_headers today which serves similar purpose.
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
Signed-off-by: Rohit Agrawal <rohit.agrawal@databricks.com>
agrawroh
requested review from
mattklein123 and
wbpcode
and removed request for
ggreenway,
mattklein123 and
wbpcode
| @@ -114,6 +114,9 @@ ClientConfig::ClientConfig(const envoy::extensions::filters::http::ext_authz::v3 | |||
| config.http_service().authorization_response().allowed_upstream_headers())), | |||
| upstream_header_to_append_matchers_(toUpstreamMatchers( | |||
| config.http_service().authorization_response().allowed_upstream_headers_to_append())), | |||
| propagate_response_on_failure_(config.has_http_service() | |||
There was a problem hiding this comment.
Nit: Since the default is false you don't need the has check. You can just directly get the value from the default http_service() object.
| @@ -250,6 +250,16 @@ message HttpService { | |||
|
|
|||
| // Settings used for controlling authorization response metadata. | |||
| AuthorizationResponse authorization_response = 8; | |||
|
|
|||
| // This changes the filter's behaviour on errors: | |||
There was a problem hiding this comment.
The code appears to only do this for 5xx. Can you clarify this? Is there any reason not to do this for 4xx also? This seems generally useful as well?
| propagate_response_on_failure_(config.has_http_service() | ||
| ? config.http_service().propagate_response_on_failure() | ||
| : false), |
| // Verify that when a call to authorization server returns a 5xx and `propagate_response_on_failure` | ||
| // is set then we preserve the original status code, headers, etc. |
There was a problem hiding this comment.
Please add an integration test for this.
| decoder_callbacks_->sendLocalReply( | ||
| config_->statusOnError(), EMPTY_STRING, nullptr, absl::nullopt, | ||
| Filters::Common::ExtAuthz::ResponseCodeDetails::get().AuthzError); | ||
| if (config_->propagateResponseOnFailure()) { |
There was a problem hiding this comment.
It seems odd to me that this logic is split across multiple files and that there is additional logic here for things like stats. Why do we additionally increment stats here? Also, if the header processing is done in the other file can't this file just stay a unified path?
|
/retest |
|
Retrying Azure Pipelines: |
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
Background
Currently, the
ext_authzfilter [Link] doesn't propagate the headers sent from the upstream service back to the client in case of errors. These errors could be useful for debugging purposes. (See #14001)Changes
This PR adds a new boolean field called
allow_debugging_failuresinext_authzfilter which could be used to control whether or not to propagate the response headers received from the upstream service in case of 5XX errors. It's defaulted tofalseto maintain the current behavior.Commit Message: Allow upstream headers propagation when
allow_debugging_failuresis set for ext_authz filter.Additional Description: Adds a boolean field in ext_authz filter to control whether or not the response headers received from upstream should be propagated back to the client in case of errors.
Risk Level: Low
Testing: Unit Tests
Docs Changes: Added description of this new field in the docs.
Release Notes: Added
Platform Specific Features: N/A
Signed-off-by: Rohit Agrawal rohit.agrawal@databricks.com