ext_authz: support external authorization checks when a route contains a direct response entry#14989
ext_authz: support external authorization checks when a route contains a direct response entry#14989esmet wants to merge 13 commits intoenvoyproxy:mainfrom
Conversation
Signed-off-by: John Esmet <john.esmet@gmail.com>
…s a direct response entry Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
…sponse Signed-off-by: John Esmet <john.esmet@gmail.com>
|
@dio do you mind providing a quick first pass while I work on test(s) and addressing feedback on other PRs? |
…sponse Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
Thank you for working on this. Yeah, I think this makes sense. |
|
There are tests so I'm pulling it out of draft 👍 |
Signed-off-by: John Esmet <john.esmet@gmail.com>
…onse Signed-off-by: John Esmet <john.esmet@gmail.com>
dio
left a comment
dio
left a comment
There was a problem hiding this comment.
Thanks for working on this! Looks good overall. Asking for improving the docs and an opportunity for optimization.
| const bool skip_check_; | ||
| const bool skip_request_body_buffering_; | ||
|
|
||
| static PerRouteFlags defaultFlags() { return PerRouteFlags{false, false}; } |
| return PerRouteFlags::skipCheckFlags(); | ||
| } | ||
|
|
||
| if (route->routeEntry() == nullptr && route->directResponseEntry() == nullptr) { |
There was a problem hiding this comment.
Could you quickly scan in the docs, if we have the opportunity to inform this explicitly in the docs?
There was a problem hiding this comment.
@dio Good callout. I read the docs. I think we're actually going to skip authz checks for redirect actions still. Maybe this feature would be more complete if we:
- Documented that only routes that proxy requests upstream will be covered by ext_authz by default
- Add a knob to enable ext_authz on direct response actions
- Add a knob to enable ext_authz on redirect actions
This way, this "bugfix" is now instead a new feature that won't break existing users that expect the current behavior. Principle of least surprise is violated, in theory, but we can mitigate that with documentation and I think this is better than possibly introducing a breaking change when we meant to make things better.
There was a problem hiding this comment.
By the way, I was wrong. Redirects and direct replies are both "direct responses" on the route object so I believe this change will correctly apply to them all. I should probably add an integration test.
Signed-off-by: John Esmet <john.esmet@gmail.com>
dio
left a comment
dio
left a comment
There was a problem hiding this comment.
Thanks! Could you update the PR description, so it will be easier for maintainers when landing this.
dio
left a comment
dio
left a comment
There was a problem hiding this comment.
Thanks! Could you update the PR description, so it will be easier for maintainers when landing this.
dio
left a comment
dio
left a comment
There was a problem hiding this comment.
Thanks! Could you update the PR description, so it will be easier for maintainers when landing this.
|
Wow. GitHub put 3 approvals 😅. Sorry for that. |
|
@dio thanks for the approval. But, I'm moving this back to draft because I have concerns that this bugfix could be considered a minor breaking change and also doesn't cover redirect responses (see #14989 (comment)). When I come back to working on this PR, I'll look into either updating the changelog to mention that this is a behavioral change or add config knobs to control whether direct / redirect responses are covered by ext_authz by default. |
|
Oops. OK. Sorry for missing that comment. |
I thought about this for a bit. Would it be odd behavior to have redirect/direct responses default differently than other routes. Right now you need to disable a filter on a route otherwise it automatically applies. It seems like this has to be a breaking change, otherwise you end up with an unintuitive UI. :/ |
|
@artificial-aidan I agree that the user experience will be surprising (in a bad way) unless we break the current behavior. Can I get an expert opinion from @envoyproxy/api-shepherds on whether the behavioral bugfix in this ticket / PR is small enough to simply be included in "Minor behavioral changes" in the changelog, or if it is big enough to deserve its own API switch? The more I think on it, the more I'm leaning on noting it as a minor behavioral change because the current behavior is indeed an unintentional bug and there is a clear "workaround" to achieve the current behavior (by setting per filter config, as one would usually expect). |
|
@esmet not sure if I'm seeing the API concern here. Could you elaborate on how this might impact someone operating an ext_authz service or what the change in semantics are? If we're just saying "we fixed this to work for direct response entries as anyone who read the xDS docs would have expected anyway", I think we are good. |
|
@htuch The question is essentially whether we think fixing this bug is enough of a behavioral change to actually be considered a breaking change, so I was looking to get an opinion on whether that meant we needed to add an API flag for this. There may have been some precedent I was unaware of, for example. The way I could see this breaking behavior is if someone set up a redirect (or direct response) that was never meant to have authorization checks, but those users may have never set a per-route config to skip it because this bug meant they never had to. Once we fix it, those users will need to fix their configs, and that could be an unexpected (even if deserved) surprise. But I think you're saying that as long as this is a really just a bug fix and the fixed behavior is reasonable to expect given the docs, we shouldn't need to do that. I agree and I'm OK with that too. I'll keep this PR as is in that case 👍 |
…sponse Signed-off-by: John Esmet <john.esmet@gmail.com>
Signed-off-by: John Esmet <john.esmet@gmail.com>
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
This would still be very helpful for us, and would simplify a lot of configs. |
github-actions
bot
removed
the
stale
| logging, :ref:`auto_host_rewrite <envoy_api_field_route.RouteAction.auto_host_rewrite>`, etc. | ||
| Setting the hostname manually allows overriding the internal hostname used for such features while | ||
| still allowing the original DNS resolution name to be used. | ||
| * ext_authz: routes that contain a redirect or a direct response action are now properly subject to external authorization checks by default. To restore the original behavior and skip authorization checks, disable ext_authz on the :ref:`per-route config <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`. |
There was a problem hiding this comment.
Should we call this out in the ext_authz docs?
| const bool skip_check_; | ||
| const bool skip_request_body_buffering_; | ||
|
|
||
| static constexpr PerRouteFlags defaultFlags() { return PerRouteFlags{false, false}; } |
There was a problem hiding this comment.
can we add comments on what the bools are here and below?
e.g., false /*skip_check_*/, false /*skip_request_body_buffering_*/
| // Test that the request stops at decodeHeaders when filter_callbacks has no route entry, but it | ||
| // does have a direct response entry. | ||
| TEST_P(HttpFilterTestParam, StopIterationWithDirectResponseEntry) { | ||
| NiceMock<Router::MockDirectResponseEntry> direct_response_entry; |
There was a problem hiding this comment.
should we have a test with redirect?
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
Still hoping to see this get in. |
github-actions
bot
removed
the
stale
|
This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions! |
github-actions
bot
added
the
stale
|
Not stale |
github-actions
bot
removed
the
stale
|
@soulxu thanks for picking this up. I let a bunch of my work go stale unfortunately, this included. |
7 participants
Commit Message: ext_authz: support external authorization checks when a route contains a direct response entry
Additional Description:
Risk Level: low
Testing: TODO
Docs Changes:
Release Notes: ext_authz: fix a bug that skipped external authorization checks for routes that contained only a direct response.
Fixes ##14984