rbac: add uri_template for path matching #31447
Conversation
|
Hi @kozjan, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
api/envoy/config/rbac/v3/rbac.proto
Outdated
| @@ -358,6 +362,9 @@ message Principal { | |||
| // Identifies the principal using a filter state object. | |||
| type.matcher.v3.FilterStateMatcher filter_state = 12; | |||
|
|
|||
| // Glob URL path matching. | |||
| envoy.extensions.path.match.uri_template.v3.UriTemplateMatchConfig glob_path = 13; | |||
There was a problem hiding this comment.
@envoyproxy/api-shepherds I'm wondering if type.matcher.v3.PathMatcher should include
?There was a problem hiding this comment.
I.e. allow URI template matcher to be plugged in. In any case, we should not be referencing the extension config directly here and instead should have something like
if we don't end up putting it inside PathMatcher.There was a problem hiding this comment.
hey, I'm going on holiday so I will rework it once I'm back, probably next year
|
/wait |
api/envoy/config/rbac/v3/rbac.proto
Outdated
|
|
||
| // Glob URL path matching. | ||
| // [#extension-category: envoy.rbac.matchers] | ||
| core.v3.TypedExtensionConfig glob_path = 13; |
There was a problem hiding this comment.
I don't think i like naming this glob_path given that it possible covers more features than just globbing, that's why it's actually called uri_template 🤔
There was a problem hiding this comment.
I will replace glob everywhere with uri_template.
|
I tried to push with prepush hooks, but shellcheck doesn't work on Mac i guess: so i fixed everything that was before the shellcheck, but i'm not sure if that's all |
|
don't really see why some checks failed, envoy/prechecks build result look fine yet it failed, and in envoy/windows do not see any specific errors, so running a retest |
repokitteh-read-only
bot
added
the
deps
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
api/envoy/config/rbac/v3/rbac.proto
Outdated
| @@ -270,6 +270,10 @@ message Permission { | |||
| // Extension for configuring custom matchers for RBAC. | |||
| // [#extension-category: envoy.rbac.matchers] | |||
| core.v3.TypedExtensionConfig matcher = 12; | |||
|
|
|||
| // URI template path matching. | |||
| // [#extension-category: envoy.rbac.uri_template] | |||
There was a problem hiding this comment.
| // [#extension-category: envoy.rbac.uri_template] | |
| // [#extension-category: envoy.path.match] |
bazel/repository_locations.bzl
Outdated
| @@ -1247,6 +1248,7 @@ REPOSITORY_LOCATIONS_SPEC = dict( | |||
| "envoy.filters.network.wasm", | |||
| "envoy.stat_sinks.wasm", | |||
| "envoy.rbac.matchers.upstream_ip_port", | |||
| "envoy.rbac.uri_template.uri_template_matcher", | |||
There was a problem hiding this comment.
I added it because of an error message in Envoy/Prechecks :
Dependency validation failed, please check metadata in bazel/repository_locations.bzl
Extension envoy.rbac.matchers.uri_template depends on com_github_google_flatbuffers but com_github_google_flatbuffers does not list envoy.rbac.matchers.uri_template in its allowlist
However, it seems to me as if the checks are bugged and checkout older code, because when I run it locally I don't get this error know - I think envoy.rbac.matchers.uri_template value comes from source/extensions/extensions_build_config.bzl
| # RBAC URI template matcher | ||
| # | ||
|
|
||
| "envoy.rbac.uri_template.uri_template_matcher": "//source/extensions/filters/common/rbac/uri_template:uri_template_lib", |
There was a problem hiding this comment.
There's no need to declare a new matcher here, we can use the existing URI template path matcher extension?
There was a problem hiding this comment.
If I understand correctly, this is necessary if I want to use a different factory for rbac, the one that was originally implemented with URI template path matcher returns absl::StatusOr<Router::PathMatcherSharedPtr>, while the type needed in RBAC is MatcherConstSharedPtr
would it be better to use the same factory, but then wrap the PathMatcherSharedPtr into MatcherConstSharedPtr?
| @@ -194,7 +194,7 @@ message Policy { | |||
| } | |||
|
|
|||
| // Permission defines an action (or actions) that a principal can take. | |||
| // [#next-free-field: 13] | |||
There was a problem hiding this comment.
LGTM, can you add an entry to https://www.envoyproxy.io/docs/envoy/latest/version_history/v1.30/v1.30.0? Thanks.
There was a problem hiding this comment.
done, also made some small changes to tests and unnecessary null check, since it works the same either way
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com> Signed-off-by: kozjan <jan.kozlowski@allegro.com> Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com> Signed-off-by: kozjan <jan.kozlowski@allegro.com> Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
This reverts commit 1db41e8. Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
kozjan
force-pushed
the
rbac-glob-matching
branch
from
5fbfeca
to
cf19a2f
Compare
kozjan
changed the title
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
kozjan
force-pushed
the
rbac-glob-matching
branch
from
881fadb
to
5d71299
Compare
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
kozjan
force-pushed
the
rbac-glob-matching
branch
from
5d71299
to
e673421
Compare
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
|
/retest |
|
don't know what to do with Envoy/Windows: https://github.com/envoyproxy/envoy/actions/runs/7651824181/job/20850377753#step:8:21416 |
its a backend (RBE) issue - its known but infrequent generally, and not obvious why its happening ive kicked the CI again |
|
@kozjan i think its failing because your branch is far behind can you merge |
|
hmm - the more i think about it the more im wondering why that would matter - and it looks like you have merged main relatively recently - and also it was passing previously a bit of a mystery tbh - this is now failing every time, i think we may have some misbehaving backend auth server cc @adisuissa |
|
/retest |
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
|
hey, it passed today - do I have to contact someone for the second review? |
Signed-off-by: kozjan <138656232+kozjan@users.noreply.github.com>
Signed-off-by: jan.kozlowski <jan.kozlowski@allegro.com>
Commit Message: rbac: add uri_template for path matching
Additional Description: Added
uri_templatewithenvoy.path.matchextension category to allow matching with URI templates in RBAC.Risk Level: low
Testing: unit, integration
Docs Changes: N/A
Release Notes: N/A
Platform Specific Features: N/A
Fixes #30724