Skip to content

update the ext-authz extension provider and promote to alpha #1926

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Apr 2, 2021
Merged

update the ext-authz extension provider and promote to alpha #1926

merged 7 commits into from
Apr 2, 2021

Conversation

yangminzhu
Copy link
Contributor

@yangminzhu yangminzhu commented Mar 25, 2021
edited
Loading

This PR makes necessary change to promote the ext-authz feature to alpha:

  1. Added with_request_body to support including body in the check request: This addresses user feedback: HTTP body missing from gRPC ExternalAuthorization provider CheckRequest istio#31182 (comment) and Better External Authorization support istio#27790 (comment)
  2. Added prefix and suffix matching when including headers in the check request: This matches the syntax in the authorization policy, this is needed to simplify the configuration when there are large number of headers with same prefix (e.g. x-forwarded-access-token, x-forwarded-user, x-forwarded-email, ...) need to be included
  3. Added add_headers_in_check to support including extra headers in the check request: This is just another way to include more headers.
  4. Added timeout to support configuring the timeout to the external service: This is needed as we have found that the timeout in DestinationRule does not cover the ext-authz filter usage because the ext-authz filer has its own timeout constraints. The current default value 600s is chosen to match the current workaround, we could change it to a lower value (e.g. 200ms) if needed.
  5. Updated the authorization_policy.proto documentation

@istio-policy-bot
Copy link

🤔 🐛 You appear to be fixing a bug in Go code, yet your PR doesn't include updates to any test files. Did you forget to add a test?

Courtesy of your friendly test nag.

@google-cla google-cla bot added the cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. label Mar 25, 2021
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Mar 25, 2021
@yangminzhu
Copy link
Contributor Author

@louiscryan @smawson @nrjpoddar @linsun please take a look at these changes for promoting the ext-authz feature to alpha in 1.10, let me know if you have any questions, thank you.

@istio-testing istio-testing added the needs-rebase Indicates a PR needs to be rebased before being merged label Mar 26, 2021
smawson
smawson reviewed Mar 29, 2021
View reviewed changes
howardjohn
howardjohn reviewed Mar 29, 2021
View reviewed changes
@istio-testing istio-testing removed the needs-rebase Indicates a PR needs to be rebased before being merged label Mar 30, 2021
nrjpoddar
nrjpoddar reviewed Mar 30, 2021
View reviewed changes
@nrjpoddar
Copy link
Member

@yangminzhu we need to look at the string match API here as we are creating a divergence from other Networking APIs.

nrjpoddar
nrjpoddar reviewed Mar 30, 2021
View reviewed changes
@yangminzhu
Copy link
Contributor Author

@yangminzhu we need to look at the string match API here as we are creating a divergence from other Networking APIs.

@nrjpoddar I was trying to align with the AuthZ API but I do not have a strong preference here. I think either one does the job and it is probably more convenient to be consistent with the AuthZ as this provider is only used with AuthZ API.

@nrjpoddar
Copy link
Member

@yangminzhu we need to look at the string match API here as we are creating a divergence from other Networking APIs.

@nrjpoddar I was trying to align with the AuthZ API but I do not have a strong preference here. I think either one does the job and it is probably more convenient to be consistent with the AuthZ as this provider is only used with AuthZ API.

Yeah, I see it now. Can we link to https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule so that users know that API semantics are same between this and AuthZ policies?

nrjpoddar
nrjpoddar reviewed Mar 30, 2021
View reviewed changes
nrjpoddar
nrjpoddar reviewed Mar 30, 2021
View reviewed changes
@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 30, 2021
@yangminzhu
Copy link
Contributor Author

@nrjpoddar @howardjohn @smawson I have updated the PR to address comments so far. PTAL and let me know if you still have more comments, thanks.

@smawson
Copy link
Contributor

smawson commented Mar 31, 2021

My concerns were met so deferring to @howardjohn and @nrjpoddar

@nrjpoddar
Copy link
Member

nrjpoddar commented Apr 1, 2021
edited
Loading

@yangminzhu I missed submitting my review yesterday. Updates look good. I have 2 minor comments:

  1. For one field you have a comment saying: “Note that this setting will have precedence over the fail_open field.” but don’t explain the relationship? They don’t seem related at first glance.
  2. Secondly, yesterday when I had looked your comment said that there was a bug for duplicated header keys. I think we need to document the expected behavior instead of expecting users to go through Envoy docs and PRs. If indeed, there’s a discrepancy for duplicated headers it can lead to CVEs so we should be careful about merging this without understanding what’s happening.

@nrjpoddar
Copy link
Member

I’m adding do-not-merge until I understand the duplicate headers behavior.

@nrjpoddar nrjpoddar added the do-not-merge/hold Block automatic merging of a PR. label Apr 1, 2021
@istio-testing
Copy link
Collaborator

istio-testing commented Apr 2, 2021
edited
Loading

@yangminzhu: The following test failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
release-notes_api d5fdc05 link /test release-notes_api

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@nrjpoddar
Copy link
Member

Talked offline with @yangminzhu. Removing the don’t merge label. Thanks for incorporating the suggestion!

@nrjpoddar nrjpoddar removed the do-not-merge/hold Block automatic merging of a PR. label Apr 2, 2021
@yangminzhu
Copy link
Contributor Author

/test gencheck_api

@istio-testing istio-testing merged commit 8d2a4ee into istio:master Apr 2, 2021
zhlsunshine pushed a commit to zhlistio/api that referenced this pull request Jul 8, 2021
@yangminzhu @zhlsunshine
update the ext-authz extension provider and promote to alpha (istio#1926
40fe913 
)

* ext-authz: promote to alpha

* address comments

* update comment

* address comments

* update

* address comments

* update comment
zhlsunshine pushed a commit to zhlistio/api that referenced this pull request Jul 30, 2021
@yangminzhu @zhlsunshine
update the ext-authz extension provider and promote to alpha (istio#1926
8a2fcb3 
)

* ext-authz: promote to alpha

* address comments

* update comment

* address comments

* update

* address comments

* update comment
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@howardjohn howardjohn howardjohn approved these changes

@dcberg dcberg Awaiting requested review from dcberg

@duderino duderino Awaiting requested review from duderino

@linsun linsun Awaiting requested review from linsun

@louiscryan louiscryan Awaiting requested review from louiscryan

+2 more reviewers

@smawson smawson smawson left review comments

@nrjpoddar nrjpoddar nrjpoddar approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees

@costinm costinm

Labels
cla: yes Set by the Google CLA bot to indicate the author of a PR has signed the Google CLA. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@yangminzhu @istio-policy-bot @nrjpoddar @smawson @istio-testing @howardjohn @costinm