-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rbac: add uri_template for path matching #31447
Conversation
Hi @kozjan, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
api/envoy/config/rbac/v3/rbac.proto
Outdated
@@ -358,6 +362,9 @@ message Principal { | |||
// Identifies the principal using a filter state object. | |||
type.matcher.v3.FilterStateMatcher filter_state = 12; | |||
|
|||
// Glob URL path matching. | |||
envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig glob_path = 13; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@envoyproxy/api-shepherds I'm wondering if type.matcher.v3.PathMatcher should include
// [#extension-category: envoy.path.match] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I.e. allow URI template matcher to be plugged in. In any case, we should not be referencing the extension config directly here and instead should have something like
// [#extension-category: envoy.path.match] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hey, I'm going on holiday so I will rework it once I'm back, probably next year
/wait |
api/envoy/config/rbac/v3/rbac.proto
Outdated
|
||
// Glob URL path matching. | ||
// [#extension-category: envoy.rbac.matchers] | ||
core.v3.TypedExtensionConfig glob_path = 13; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think i like naming this glob_path
given that it possible covers more features than just globbing, that's why it's actually called uri_template
🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will replace glob
everywhere with uri_template
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
I tried to push with prepush hooks, but shellcheck doesn't work on Mac i guess:
so i fixed everything that was before the shellcheck, but i'm not sure if that's all |
don't really see why some checks failed, envoy/prechecks build result look fine yet it failed, and in envoy/windows do not see any specific errors, so running a retest |
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
api/envoy/config/rbac/v3/rbac.proto
Outdated
@@ -270,6 +270,10 @@ message Permission { | |||
// Extension for configuring custom matchers for RBAC. | |||
// [#extension-category: envoy.rbac.matchers] | |||
core.v3.TypedExtensionConfig matcher = 12; | |||
|
|||
// URI template path matching. | |||
// [#extension-category: envoy.rbac.uri_template] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// [#extension-category: envoy.rbac.uri_template] | |
// [#extension-category: envoy.path.match] |
bazel/repository_locations.bzl
Outdated
@@ -1247,6 +1248,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( | |||
"envoy.filters.network.wasm", | |||
"envoy.stat_sinks.wasm", | |||
"envoy.rbac.matchers.upstream_ip_port", | |||
"envoy.rbac.uri_template.uri_template_matcher", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't get why this is needed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added it because of an error message in Envoy/Prechecks :
Dependency validation failed, please check metadata in bazel/repository_locations.bzl
Extension envoy.rbac.matchers.uri_template depends on com_github_google_flatbuffers but com_github_google_flatbuffers does not list envoy.rbac.matchers.uri_template in its allowlist
However, it seems to me as if the checks are bugged and checkout older code, because when I run it locally I don't get this error know - I think envoy.rbac.matchers.uri_template
value comes from source/extensions/extensions_build_config.bzl
# RBAC URI template matcher | ||
# | ||
|
||
"envoy.rbac.uri_template.uri_template_matcher": "//source/extensions/filters/common/rbac/uri_template:uri_template_lib", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's no need to declare a new matcher here, we can use the existing URI template path matcher extension?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If I understand correctly, this is necessary if I want to use a different factory for rbac, the one that was originally implemented with URI template path matcher returns absl::StatusOr<Router::PathMatcherSharedPtr>, while the type needed in RBAC is MatcherConstSharedPtr
would it be better to use the same factory, but then wrap the PathMatcherSharedPtr
into MatcherConstSharedPtr
?
@@ -194,7 +194,7 @@ message Policy { | |||
} | |||
|
|||
// Permission defines an action (or actions) that a principal can take. | |||
// [#next-free-field: 13] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, can you add an entry to https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.30/v1.30.0? Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done, also made some small changes to tests and unnecessary null check, since it works the same either way
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com> Signed-off-by: kozjan <jan.kozlowski@allegro.com> Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com> Signed-off-by: kozjan <jan.kozlowski@allegro.com> Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
This reverts commit 1db41e8. Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
5fbfeca
to
cf19a2f
Compare
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
881fadb
to
5d71299
Compare
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
5d71299
to
e673421
Compare
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
/retest |
don't know what to do with Envoy/Windows: https://github.com/envoyproxy/envoy/actions/runs/7651824181/job/20850377753#step:8:21416 |
its a backend (RBE) issue - its known but infrequent generally, and not obvious why its happening ive kicked the CI again |
@kozjan i think its failing because your branch is far behind can you merge |
hmm - the more i think about it the more im wondering why that would matter - and it looks like you have merged main relatively recently - and also it was passing previously a bit of a mystery tbh - this is now failing every time, i think we may have some misbehaving backend auth server cc @adisuissa |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM for when CI passes.
/retest |
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
hey, it passed today - do I have to contact someone for the second review? |
Signed-off-by: kozjan <138656232+kozjan@users.noreply.github.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Commit Message: rbac: add uri_template for path matching
Additional Description: Added
uri_template
withenvoy.path.match
extension category to allow matching with URI templates in RBAC.Risk Level: low
Testing: unit, integration
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
Fixes #30724