authz_filter: configuration to support Ambassador authorization flow #563
+68
−32
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| load("//bazel:api_build_system.bzl", "api_proto_library") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_library( | ||
| name = "ext_authz", | ||
| srcs = ["ext_authz.proto"], | ||
| deps = ["//envoy/api/v2/core:grpc_service"], | ||
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.config.filter.http.ext_authz.v2alpha; | ||
| option go_package = "v2"; | ||
|
|
||
| import "envoy/api/v2/core/grpc_service.proto"; | ||
|
|
||
| import "google/protobuf/duration.proto"; | ||
| import "gogoproto/gogo.proto"; | ||
|
|
||
| // The external authorization HTTP service configuration. | ||
| message HttpService { | ||
| // Sets the cluster name which the authorization request must be sent to. | ||
| string cluster = 1; | ||
|
There was a problem hiding this comment. Wondering if https://github.com/envoyproxy/data-plane-api/blob/master/envoy/api/v2/core/http_uri.proto#L9 would be appropriate here. Leaning towards saying "no", since we are probably not making arbitrary HTTP calls and can statically configure the service, but if we want to leave room for growing to a dynamic auth service resolution later, then There was a problem hiding this comment. As far as it is compatible with the previous design, which seems that it is, I think HttpUri makes sense. I'm not entirely sure about what this change though. |
||
|
|
||
| // Sets the time, in milliseconds, within the service should respond to an authorization | ||
| // request. | ||
| google.protobuf.Duration timeout = 2 [(gogoproto.stdduration) = true]; | ||
|
There was a problem hiding this comment. Thoughts on merging this into There was a problem hiding this comment. Good point. I will do it. |
||
|
|
||
| // Sets an optional prefix to the value of authorization request header `path`. | ||
| string path_prefix = 3; | ||
| } | ||
|
|
||
| message ExtAuthz { | ||
|
|
||
| oneof services { | ||
| // The external authorization gRPC service configuration. | ||
| envoy.api.v2.core.GrpcService grpc_service = 1; | ||
|
|
||
| // The external authorization HTTP service configuration. | ||
| HttpService http_service = 3; | ||
|
There was a problem hiding this comment. Is it ok to re-index them? There was a problem hiding this comment. you are right |
||
| } | ||
|
|
||
| bool failure_mode_allow = 2; | ||
|
|
||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,24 @@ | ||
| load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_library( | ||
| name = "attribute_context", | ||
| srcs = [ | ||
| "attribute_context.proto", | ||
| ], | ||
| deps = [ | ||
| "//envoy/api/v2/core:address", | ||
| ], | ||
| ) | ||
|
|
||
| api_proto_library( | ||
| name = "external_auth", | ||
| srcs = [ | ||
| "external_auth.proto", | ||
| ], | ||
| has_services = 1, | ||
| deps = [ | ||
| ":attribute_context", | ||
| ], | ||
| ) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,133 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| // [#proto-status: draft] | ||
|
|
||
| package envoy.service.auth.v2alpha; | ||
|
There was a problem hiding this comment. These are just copies from the existing protos? How come the existing ones aren't being deleted (i.e. this isn't a move)? There was a problem hiding this comment. Yes, I just copied them. I wasn't 100% sure if I should delete the old ones. |
||
|
|
||
| import "envoy/api/v2/core/address.proto"; | ||
|
|
||
| import "google/protobuf/timestamp.proto"; | ||
|
|
||
| // An attribute is a piece of metadata that describes an activity on a network. | ||
| // For example, the size of an HTTP request, or the status code of an HTTP response. | ||
| // | ||
| // Each attribute has a type and a name, which is logically defined as a proto message field | ||
| // of the `AttributeContext`. The `AttributeContext` is a collection of individual attributes | ||
| // supported by Envoy authorization system. | ||
| message AttributeContext { | ||
| // This message defines attributes for a node that handles a network request. | ||
| // The node can be either a service or an application that sends, forwards, | ||
| // or receives the request. Service peers should fill in the `service`, | ||
| // `principal`, and `labels` as appropriate. | ||
| message Peer { | ||
| // The address of the peer, this is typically the IP address. | ||
| // It can also be UDS path, or others. | ||
| envoy.api.v2.core.Address address = 1; | ||
|
|
||
| // The canonical service name of the peer. | ||
| // It should be set to :ref:`the HTTP x-envoy-downstream-service-cluster | ||
| // <config_http_conn_man_headers_downstream-service-cluster>` | ||
| // If a more trusted source of the service name is available through mTLS/secure naming, it | ||
| // should be used. | ||
| string service = 2; | ||
|
|
||
| // The labels associated with the peer. | ||
| // These could be pod labels for Kubernetes or tags for VMs. | ||
| // The source of the labels could be an X.509 certificate or other configuration. | ||
| map<string, string> labels = 3; | ||
|
|
||
| // The authenticated identity of this peer. | ||
| // For example, the identity associated with the workload such as a service account. | ||
| // If an X.509 certificate is used to assert the identity this field should be sourced from | ||
| // `Subject` or `Subject Alternative Names`. The primary identity should be the principal. | ||
| // The principal format is issuer specific. | ||
| // | ||
| // Example: | ||
| // * SPIFFE format is `spiffe://trust-domain/path` | ||
| // * Google account format is `https://accounts.google.com/{userid}` | ||
| string principal = 4; | ||
| } | ||
|
|
||
| // Represents a network request, such as an HTTP request. | ||
| message Request { | ||
| // The timestamp when the proxy receives the first byte of the request. | ||
| google.protobuf.Timestamp time = 1; | ||
|
|
||
| // Represents an HTTP request or an HTTP-like request. | ||
| HttpRequest http = 2; | ||
|
|
||
| // More request types are added here as necessary. | ||
| } | ||
|
|
||
| // This message defines attributes for an HTTP request. | ||
| // HTTP/1.x, HTTP/2, gRPC are all considered as HTTP requests. | ||
| message HttpRequest { | ||
| // The unique ID for a request, which can be propagated to downstream | ||
| // systems. The ID should have low probability of collision | ||
| // within a single day for a specific service. | ||
| // For HTTP requests, it should be X-Request-ID or equivalent. | ||
| string id = 1; | ||
|
|
||
| // The HTTP request method, such as `GET`, `POST`. | ||
| string method = 2; | ||
|
|
||
| // The HTTP request headers. If multiple headers share the same key, they | ||
| // must be merged according to the HTTP spec. All header keys must be | ||
| // lowercased, because HTTP header keys are case-insensitive. | ||
| map<string, string> headers = 3; | ||
|
|
||
| // The HTTP URL path. | ||
| string path = 4; | ||
|
|
||
| // The HTTP request `Host` or 'Authority` header value. | ||
| string host = 5; | ||
|
|
||
| // The HTTP URL scheme, such as `http` and `https`. | ||
| string scheme = 6; | ||
|
|
||
| // The HTTP URL query in the format of `name1=value`&name2=value2`, as it | ||
| // appears in the first line of the HTTP request. No decoding is performed. | ||
| string query = 7; | ||
|
|
||
| // The HTTP URL fragment, excluding leading `#`. No URL decoding is performed. | ||
| string fragment = 8; | ||
|
|
||
| // The HTTP request size in bytes. If unknown, it must be -1. | ||
| int64 size = 9; | ||
|
|
||
| // The network protocol used with the request, such as | ||
| // "http/1.1", "spdy/3", "h2", "h2c" | ||
| string protocol = 10; | ||
| } | ||
|
|
||
| // The source of a network activity, such as starting a TCP connection. | ||
| // In a multi hop network activity, the source represents the sender of the | ||
| // last hop. | ||
| Peer source = 1; | ||
|
|
||
| // The destination of a network activity, such as accepting a TCP connection. | ||
| // In a multi hop network activity, the destination represents the receiver of | ||
| // the last hop. | ||
| Peer destination = 2; | ||
|
|
||
| // Represents a network request, such as an HTTP request. | ||
| Request request = 4; | ||
|
|
||
| // This is analogous to http_request.headers, however these contents will not be sent to the | ||
| // upstream server. Context_extensions provide an extension mechanism for sending additional | ||
| // information to the auth server without modifying the proto definition. It maps to the internal | ||
| // opaque context in the filter chain. | ||
| map<string, string> context_extensions = 10; | ||
| } | ||
|
|
||
| // The following items are left out of this proto | ||
| // Request.Auth field for jwt tokens | ||
| // Request.Api for api management | ||
| // Origin peer that originated the request | ||
| // Caching Protocol | ||
| // request_context return values to inject back into the filter chain | ||
| // peer.claims -- from X.509 extensions | ||
| // Configuration | ||
| // - field mask to send | ||
| // - which return values from request_context are copied back | ||
| // - which return values are copied into request_headers | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| // [#proto-status: draft] | ||
|
|
||
| package envoy.service.auth.v2alpha; | ||
| option go_package = "v2"; | ||
|
There was a problem hiding this comment. same here, |
||
| option java_generic_services = true; | ||
|
|
||
| import "envoy/service/auth/v2alpha/attribute_context.proto"; | ||
|
|
||
| import "google/rpc/status.proto"; | ||
| import "validate/validate.proto"; | ||
|
|
||
| // A generic interface for performing authorization check on incoming | ||
| // requests to a networked service. | ||
| service Authorization { | ||
| // Performs authorization check based on the attributes associated with the | ||
| // incoming request, and returns status `OK` or not `OK`. | ||
| rpc Check(CheckRequest) returns (CheckResponse); | ||
| } | ||
|
|
||
| message CheckRequest { | ||
| // The request attributes. | ||
| AttributeContext attributes = 1; | ||
| } | ||
|
|
||
| message CheckResponse { | ||
| // Status `OK` allows the request. Any other status indicates the request should be denied. | ||
| google.rpc.Status status = 1; | ||
|
|
||
| // An optional message that contains HTTP response attributes. This message is | ||
| // used when the authorization service needs to send custom responses to the | ||
| // downstream client or, to modify/add request headers being dispatched to the upstream. | ||
| message HttpResponse { | ||
| // Http status code. | ||
| uint32 status_code = 1 [(validate.rules).uint32 = {gte: 100, lt: 600}]; | ||
|
|
||
| // Http entity headers. | ||
| map<string, string> headers = 2; | ||
|
|
||
| // Http entity body. | ||
| string body = 3; | ||
| } | ||
| } | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can you please change this to
v2alpha?