ext_authz: add dynamic_metadata_matchers and use them in the ext_authz HTTP implementation#14843
ext_authz: add dynamic_metadata_matchers and use them in the ext_authz HTTP implementation#14843esmet wants to merge 13 commits intoenvoyproxy:mainfrom
Conversation
HTTP implementation Signed-off-by: John Esmet <john.esmet@gmail.com>
|
/lgtm api |
| // *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are automatically added. | ||
| type.matcher.v3.ListStringMatcher allowed_client_headers = 2; | ||
|
|
||
| // When this :ref:`list <envoy_api_msg_type.matcher.v3.ListStringMatcher>`. is set, authorization |
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
/retest |
|
Retrying Azure Pipelines: |
|
@dio can you do a first pass of review? |
dio
left a comment
dio
left a comment
There was a problem hiding this comment.
Thank you for working on this! Looks good. Requesting for a better variable naming, and fixing some comments. Thank you!
| const Http::HeaderMap& headers_; | ||
| const MatcherSharedPtr& matchers_; | ||
| const MatcherSharedPtr& append_matchers_; | ||
| const MatcherSharedPtr& dynamic_metadata_matchers_; |
There was a problem hiding this comment.
Sorry, can we rename this to to_dynamic_metadata_matchers_ or similar, headers_to_dynamic_metadata_matchers_? A bit confused if we look at only this. Probably add a comment that all of these matchers (matchers, append_matchers, ...) work against headers_.
There was a problem hiding this comment.
good idea, this code is indeed getting hairy
There was a problem hiding this comment.
I went with to_dynamic_metadata_matchers
| std::string key{header.key().getStringView()}; | ||
| std::string value{header.value().getStringView()}; |
| /** | ||
| * Returns a list of matchers used for selecting the headers to emit as dynamic metadata. | ||
| */ | ||
| const MatcherSharedPtr& dynamicMetadataMatchers() const { return dynamic_metadata_matchers_; } |
There was a problem hiding this comment.
The same as above, let's rename it to something more explicit (?).
|
|
||
| const MatcherSharedPtr request_header_matchers_; | ||
| const MatcherSharedPtr client_header_matchers_; | ||
| const MatcherSharedPtr dynamic_metadata_matchers_; |
| (*metadata_fields)["x-metadata-header-2"] = ValueUtil::stringValue("4"); | ||
|
|
||
| // When we call onSuccess() at the bottom of the test we expect that all the | ||
| // headers-to-remove in that http response to have been correctly extracted |
There was a problem hiding this comment.
Sorry, I confused about this "headers-to-remove" comment. Do you mean all headers matched with the pattern defined by dynamic_metadata_from_headers?
There was a problem hiding this comment.
I think this is bad copy paste. Let me fix it.
…data Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
@dio I addressed the code review feedback and I think this should be ready to go now. |
|
@lizan friendly poke to take a pass and provide an API approval |
|
@envoyproxy/api-shepherds sorry to bother, but can I ask for one more pass at the API portions and an approval if all looks good? |
| // response headers that have a correspondent match will be emitted as dynamic metadata, whose keys | ||
| // correspond to the name of the matched header and whose values are the respective values. When this | ||
| // list is *not* set, no additional dynamic metadata will be emitted. This metadata lives in a namespace | ||
| // specified by the canonical name of extension filter that requires it: |
There was a problem hiding this comment.
@lizan @kyessenov I'm little concerned that we've moved to a model where type URL is the canonical name for extension filters but we continue to use these names in the API for other purposes. What exists in this PR is consistent with other places we do this, e.g. RLS, but curious what to do going forward. Do we need some API style guidance on which one to use where here?
CC @envoyproxy/api-shepherds @phlax
There was a problem hiding this comment.
Yeah, we need guidance what keys to use for metadata (and filter state). It's wild west right now. As long as the name is unique, it should be OK to use any name, but we need to phrase it this way and avoid canonical name.
There was a problem hiding this comment.
+1 anything we can do here to centralize this in TypedExtensionConfig and have common documentation would be hugely helpful. This is incredibly confusing IMO.
There was a problem hiding this comment.
Right, this PR uses the same metadata key name that is documented in the proto used by the gRPC authorization server. What can I do to help here, and is it something that should be addressed in this PR or in a followup PR?
There was a problem hiding this comment.
For now can you potentially just add an example to these docs? It's pretty hard to understand for the casual user. Thank you!
/wait
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
This pull request has been automatically closed because it has not had activity in the last 37 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
6 participants
Adds support for emitting dynamic metadata when using an HTTP authorization service. This is already possible when using a gRPC authorization service, so this change just connects the pipes on the HTTP side.
Commit Message: ext_authz: add dynamic_metadata_matchers and use them in the ext_authz HTTP implementation
Additional Description:
Risk Level: Low
Testing: New unit test
Docs Changes: Added documentation to API protos, similar to sibling fields.
Release Notes: ext_authz: added :ref:
dynamic_metadata_from_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.dynamic_metadata_from_headers>to support emitting dynamic metadata from headers returned by an external authorization service via HTTP.Fixes #14622