authn: revised request authenticator #2952
Conversation
googlebot
added
the
cla: yes
istio-testing
added
the
size/XXL
There was a problem hiding this comment.
Thanks for the work! this looks great!
I left some comments but I think many of them could be addressed in follow up PRs so feel free to leave a TODO there. One of big benefits of the new authn filter is to reduce the complexity and tech-debt we had today, so before we really switch to use it, we would need to address these TODOs otherwise we're just carrying the tech-debt to the new filter (and also need some test for performance and reliability).
| return true; | ||
| } | ||
|
|
||
| bool FilterContext::getJwtPayloadFromIstioJwtFilter( |
There was a problem hiding this comment.
I think we no longer need this. We only support Envoy JWT filter now.
| namespace Extensions { | ||
| namespace AuthN { | ||
|
|
||
| class IRequestAuthenticator { |
There was a problem hiding this comment.
nit: I feel it's more common to name the abstract class as RequestAuthentication, and the implementation as RequestAuthenticationImpl in Envoy?
| } | ||
|
|
||
| bool RequestAuthenticator::validateJwt(istio::authn::JwtPayload* jwt) { | ||
| for (const auto& jwt_rule : request_authentication_policy_.jwt_rules()) { |
There was a problem hiding this comment.
I feel this could be greatly simplified without depending on the request_authentication policy at all.
Istiod already generates the Envoy JWT filter config from consolidated RequestAuthN policies, Envoy JWT filter should validate and output the JWT token to the metadata (via PayloadInMetadata)
can we just pass a list of issuers in the authn filter's config instead of passing the whole RequestAuthN policy? (I want to avoid dependency on the user-facing API in proxy)
| // TODO (pitlv2109): Return protobuf Struct instead of string, once Istio jwt | ||
| // filter is removed. Also need to change how Istio authn filter processes the | ||
| // jwt payload. | ||
| MessageToJsonString(entry_it->second.struct_value(), payload); |
There was a problem hiding this comment.
As you can see there is a TODO here, here we parse the struct to string, and later in ExtractOriginalPayload and ProcessJwtPayload we parse the string into JSON object via JsonParse(), is it possible to avoid this and use the struct directly?
| public: | ||
| FilterContext( | ||
| const envoy::config::core::v3::Metadata& dynamic_metadata, | ||
| const RequestHeaderMap& header_map, const Connection* connection, |
There was a problem hiding this comment.
This seems to be using Envoy interfaces. How are you going to compile this to Wasm?
There was a problem hiding this comment.
I'm not considering about wasm compilation in this PR. I will submit a PR which will include plugin.h/.cc using proxy-wasm interface. I will fix them in that.
There was a problem hiding this comment.
I'm just wondering that if we're revising the implementation anyways, why not write it once with Wasm ABI.
There was a problem hiding this comment.
This PR doesn't include the build components which will be required to build AuthN filter. I'd like to split AuthN wasm implementations described in #2800. If we consider about wasm build in this PR. It will be complex to review all of codes, and out of request authenticator context. We have had already the implementation to be available not NullVM in #2800. I think that we should focus on simple (not WASM enabled) request authenticator implementation and unit test.
kyessenov
left a comment
kyessenov
left a comment
There was a problem hiding this comment.
I strongly suggest using Wasm interfaces. We cannot upstream this filter so it will need to be dynamically loadable.
istio-testing
added
the
needs-rebase
|
@Shikugawa: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Splitting the filter into multiple is fine with me.
One thing to note is that we were trying to combine multiple Wasm modules
into one big fat module for performance reasons. So it might end up being
one module in the end.
…On Fri, Nov 13, 2020 at 8:44 PM Rei Shimizu ***@***.***> wrote:
@kyessenov <https://github.com/kyessenov> Discussed with
@istio/wg-security-maintainers
<https://github.com/orgs/istio/teams/wg-security-maintainers>, we should
revise authn filter with some of components, not monorith authn filter. I
shared design doc of that. But there is no consensus with googlers. Can you
review it and add some comments?
https://docs.google.com/document/d/1JCVR3IoHzuvIvl2Qrep785eNLGOVdwZ3Ha2rrsM-K5w
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2952 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACIYRRXOVTUR5BTZFOUAHLLSPYDJHANCNFSM4PKTIEJQ>
.
|
|
outdated |
7 participants
What this PR does / why we need it:
This is a part of replacement of authn wasm implementation. It is using revised request authentication API. istio/api#1536
#2800 is too large and hard to review all codes so that I split all of authn wasm implementation.