Add revised filter config for proxy_wasm authn filter #1536
Conversation
Shikugawa
requested review from
dcberg,
duderino,
linsun,
louiscryan,
rshriram and
smawson
as code owners
googlebot
added
the
cla: yes
istio-testing
added
the
size/M
|
cc. @yangminzhu |
| // Map from issuer to location of the payload that is emitted by Jwt filter. | ||
| // This information is added by pilot when construct and add Jwt and | ||
| // authN filters. | ||
| map<string, string> jwt_output_payload_locations = 3; |
There was a problem hiding this comment.
Should we place this on here?
|
@istio/wg-security-maintainers PTAL |
| @@ -0,0 +1,50 @@ | |||
| // Copyright 2020 Istio Authors | |||
There was a problem hiding this comment.
Sorry for the late reply, this get lost in my inbox :(
A high level comment, should we move this API to the proxy repo instead of putting it in the istio/api again? This is internal filter API and should not be in the istio/api (user-facing) repo in the first place, we could take this chance to clean it up.
There was a problem hiding this comment.
Yes, there is no benefit in having it in istio/api. You would need to manually generate pb.go files in istio/istio anyways and keep that in sync with proxy version.
| // trust domains. | ||
| // Note, the istio authn filter only validates the trust domain when mTLS is | ||
| // used, In other words, this field has no effect for plaintext traffic. | ||
| bool skip_validate_trust_domain = 4; |
There was a problem hiding this comment.
I think there is another change from @incfly for adding a list of strings for trust domain validation.
| // authentication policy on Envoy. | ||
| message FilterConfig { | ||
| // Filter configuration for RequestAuthentication, which supports Jwt authentication. | ||
| istio.security.v1beta1.RequestAuthentication request_authentication = 1; |
There was a problem hiding this comment.
is it possible to not to depend on istio/api? technically the internal filter config doesn't need to depend on the user-facing API, and the filter also probably have a simpler API?
just optional as we can always iterate on this part later.
There was a problem hiding this comment.
It is needed by istio/istio, hopefully we don't need to import istio/proxy?
There was a problem hiding this comment.
It would be very nice if the new authn filter doesn't depend on istio/api but has its own definition in istio/proxy. I think it's not very clear at this moment how would istio/istio depend on the filter API that is defined in istio/proxy, right? the authn filter seems to be the only case here?
There was a problem hiding this comment.
Maybe I am wrong actually. Istio currently will try to read config dumps/things configured through EnvoyFilter, so if those are in use we need to import it. If this is some opaque blob for WASM or something then its fine. Basically if @type: foo shows up anywhere, we need to import foo I think
There was a problem hiding this comment.
Please don't mix istio and envoy APIs. They use incompatible protobufs (gogo in istio, golang in xds), so it just causes confusion down the line.
There was a problem hiding this comment.
+1. don't see why it's needed. (miss this thread before).
There was a problem hiding this comment.
If we use istio/api independent envoy filter api, it will be placed similar api definition there. (like RequestAuthentication/PeerAuthentication) Is it acceptable? I understand that this filter api should be placed on istio/proxy but don't understand not to depend on this.
| // authentication policy on Envoy. | ||
| message FilterConfig { | ||
| // Filter configuration for RequestAuthentication, which supports Jwt authentication. | ||
| istio.security.v1beta1.RequestAuthentication request_authentication = 1; |
There was a problem hiding this comment.
How is the filter going to consume RequestAuthentication directly, when the API requires control plane processing for jwksUrl?
There was a problem hiding this comment.
I'm confusing about we should consider about jwks_url here. That will be processed finely on EnvoyFilter. https://github.com/envoyproxy/envoy/blob/cf2df8cbe1f5aff726d6b8ea54d5ad716023b70d/api/envoy/extensions/filters/http/jwt_authn/v3/config.proto#L197
There was a problem hiding this comment.
In current code, we do not do jwksUri fetching in envoy, its done in the control plane
| // mTLS authentication for sidecar to sidecar workload. | ||
| istio.security.v1beta1.PeerAuthentication peer_authentication = 2; | ||
|
|
||
| // Map from issuer to location of the payload that is emitted by Jwt filter. |
There was a problem hiding this comment.
I think that this field is not needed anymore. https://github.com/istio/istio/blob/536c38d179a770e736e8b2e9063feda89032af75/pilot/pkg/security/authn/v1beta1/policy_applier.go#L141. I will destroy this on the next version of AuthN filter API.
|
If this is going to passed thru api without the need for the control plane to understand it, we don’t need it here. |
|
I don't think any of the envoy filter configs are really 'private' - it
should probably move upstream to envoy, among all other envoy configs.
But it must be treated as an api - maybe only used directly by EnvoyFilter
users and control planes, but still API.
But private or not - the defaults should be secure by default to avoid
mistakes like we've seen in the past. It is extremely hard to change those
- due to versioning and upgrades and control plane variants (istiod is just
one implementation of Istio APIs - others are possible).
I think the confusion is around what is an API and what is not. Contracts
between components and services with multiple implementations are APIs in
my mind. The injection URL format is an API as well ( there is a separate
thread on this). Maybe not an API intended for end users but vendors and
integrators - but still API.
…On Thu, Jul 30, 2020, 15:38 Yangmin Zhu ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In envoy/config/filter/http/authn/v2alpha2/config.proto
<#1536 (comment)>:
> @@ -0,0 +1,50 @@
+// Copyright 2020 Istio Authors
Sorry for the late reply, this get lost in my inbox :(
A high level comment, should we move this API to the proxy repo instead of
putting it in the istio/api again? This is internal filter API and should
not be in the istio/api (user-facing) repo in the first place, we could
take this chance to clean it up.
(this caused a lot confusions before, cc @costinm
<https://github.com/costinm> @incfly <https://github.com/incfly> )
------------------------------
In envoy/config/filter/http/authn/v2alpha2/config.proto
<#1536 (comment)>:
> + // mTLS authentication for sidecar to sidecar workload.
+ istio.security.v1beta1.PeerAuthentication peer_authentication = 2;
+
+ // Map from issuer to location of the payload that is emitted by Jwt filter.
+ // This information is added by pilot when construct and add Jwt and
+ // authN filters.
+ map<string, string> jwt_output_payload_locations = 3;
+
+ // Skips validating the peer's trust domain.
+ // By default, the istio authn filter will reject the request if the peer and
+ // the local service is not in the same trust domain.
+ // Set this field to true to skip the validation and allows peers from any
+ // trust domains.
+ // Note, the istio authn filter only validates the trust domain when mTLS is
+ // used, In other words, this field has no effect for plaintext traffic.
+ bool skip_validate_trust_domain = 4;
I think there is another change from @incfly <https://github.com/incfly>
for adding a list of strings for trust domain validation.
------------------------------
In envoy/config/filter/http/authn/v2alpha2/config.proto
<#1536 (comment)>:
> +
+import "security/v1beta1/request_authentication.proto";
+import "security/v1beta1/peer_authentication.proto";
+
+// $title: Internal API for authentication implementation on Envoy.
+
+package istio.envoy.config.filter.http.authn.v2alpha2;
+
+
+option go_package = "istio.io/api/envoy/config/filter/http/authn/v2alpha2";
+
+// FilterConfig is the config for Istio-specific filter that is used to enforce
+// authentication policy on Envoy.
+message FilterConfig {
+ // Filter configuration for RequestAuthentication, which supports Jwt authentication.
+ istio.security.v1beta1.RequestAuthentication request_authentication = 1;
is it possible to not to depend on istio/api? technically the internal
filter config doesn't need to depend on the user-facing API, and the filter
also probably have a simpler API?
just optional as we can always iterate on this part later.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1536 (review)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2TTUNKJ2WKGMLJ4PILR6HY6JANCNFSM4O7KRUNQ>
.
|
|
Someone generates this proto - and envoy consumes it. The generator may
have multiple implementations. The consumer can also have multiple
implementations ( there is at least one other data plane proxy using XDS
compatible API). It doesn't matter if WASM or c++ or go is used to
implement it. To me that's an API that needs to be treated as such.
…On Thu, Jul 30, 2020, 20:23 mandarjog ***@***.***> wrote:
If this is going to passed thru api without the need for the control plane
to understand it, we don’t need it here.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1536 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2W4NPXWH7NYOU6FZMTR6I2MRANCNFSM4O7KRUNQ>
.
|
|
I agree about it being a filter api, and should be reviewed. But it does need to be defined as “istio” api here. |
|
@mandarjog who is actually configuring this? The user? The control plane? something else? |
|
@yangminzhu is this a passthru api or does it need controlplane intervention? |
|
I am a bit confused. So question to @yangminzhu and @Shikugawa why we put Istio API(RequestAuthentication and PeerAuthentication) inlined in the new WASM based authn filter API? Certain things like workload selector does not make sense to the filter at all. Are there some design/thread on this? I clicked through the linked PR but didn't find any clue. |
|
What do you mean passthrough ? Someone must create it.
…On Fri, Jul 31, 2020, 10:03 Jianfei Hu ***@***.***> wrote:
I am a bit confused. So question to @yangminzhu
<https://github.com/yangminzhu> and @Shikugawa
<https://github.com/Shikugawa>
why we put Istio API inlined in the new WASM based authn filter API?
Certain things like workload selector does not make sense to the filter at
all. Are there some design/thread on this? I clicked through the linked PR
but didn't find any clue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1536 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAUR2WOCUD4A2EBGTOQIGDR6L2MHANCNFSM4O7KRUNQ>
.
|
@howardjohn this is only configured by control plane (istiod).
@mandarjog not sure what you mean for passthru api. This will be used by control plane (istiod) to configure the authn filter to do the work (e.g. extract attributes). |
|
@yangminzhu if this is configured by istiod then istiod needs to import the proto? |
In that case, we need to produce golang protos since it's going to be embedded in xDS config dumps, etc. istio/api produces gogo.
Pass through means it's just pasted as opaque blob and not interpreted by istiod. It doesn't sound like the case anymore. Still, I don't think this should be user visible, and it is not a user API at all. |
|
Related question: we should consider not using proto for the Wasm plugin. You are taking a hit of 1MB extra binary size just to parse 4 fields in a JSON. |
|
Yes, I mentioned the similar thing in the other PR in istio/api.
1) the (new) authn filter define its filter API purely in istio/proxy, no
dependency on istio/api
2) istiod configures the (new) authn filter via the filter API. This part
seems a bit tricking because it requires dependency on istio/proxy?
…On Fri, Jul 31, 2020 at 1:48 PM John Howard ***@***.***> wrote:
@yangminzhu <https://github.com/yangminzhu> if this is configured by
istiod then istiod needs to import the proto?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1536 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQWO2HYLGOOIWECR3XNIJ3R6MUYLANCNFSM4O7KRUNQ>
.
|
|
On Fri, Jul 31, 2020 at 1:51 PM Kuat ***@***.***> wrote:
Related question: we should consider not using proto for the Wasm plugin.
You are taking a hit of 1MB extra binary size just to parse 4 fields in a
JSON.
Thanks for the suggestion, Kuat.
I think that's another factor we should take into consideration when
evaluating whether or not we should have the (new) authn filter in wasm,
currently I believe this is not decided yet and we're still doing
evaluation.
It may be worth investing some time to see if we can get it upstreamed in
Envoy, so it's just normal Envoy filters and we don't need to worry about
any of these dependencies.
… —
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1536 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAQWO2DSPKUR2RDAQLKIWA3R6MVFBANCNFSM4O7KRUNQ>
.
|
|
@yangminzhu I agree that we should consider upstreaming if it is possible. But if that doesn't happen, then the only choice is Wasm ABI, so a lot of the questions raised here are moot (why even use proto if you don't have to). |
|
@istio/wg-security-maintainers I guessed about the usecase of new authentication filter and concluded that our requirements about this are,
So all we have to do is,
Is my idea correct? cc. @howardjohn @kyessenov @mandarjog |
Correct, this is one of the big benefits of the new authn filter.
I'm not sure if we can put the original
Correct, this is basically just to use the new authn filter in istiod, should be easy and straightforward to do since we only need to configure a few fields for the authn filter (the most complicated part today is the Envoy JWT fitler which is not affected by this change)
|
howardjohn
removed
the
cla: yes
|
🚧 This issue or pull request has been closed due to not having had activity from an Istio team member since 2020-08-09. If you feel this issue or pull request deserves attention, please reopen the issue. Please see this wiki page for more information. Thank you for your contributions. Created by the issue and PR lifecycle manager. |
istio-policy-bot
added
the
lifecycle/automatically-closed
11 participants
This is highly related to istio/proxy#2800.