rbac: add matching range of destination ports#17356
Conversation
|
Hi @zhxie, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
|
please rebase and sign all your commits with |
zhxie
force-pushed
the
rbac-dport-range
branch
2 times, most recently
from
9b62ded to
f4a7842
Compare
adisuissa
left a comment
adisuissa
left a comment
There was a problem hiding this comment.
Thanks for working on this!
Left a few API questions.
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
zhxie
changed the title
|
/retest |
|
Retrying Azure Pipelines: |
|
@adisuissa could you also take a look at the first pass for implementation review when you're back? Thanks! |
adisuissa
left a comment
adisuissa
left a comment
There was a problem hiding this comment.
Implementation and tests look good overall, thanks!
Left a couple of nits.
| perm->mutable_destination_port_range()->set_start(123); | ||
| perm->mutable_destination_port_range()->set_end(456); |
There was a problem hiding this comment.
nit: why not copy range into destination_port_range?
There was a problem hiding this comment.
That's right. Unused variable has been removed.
| checkMatcher(PortMatcher(456), false, conn, headers, info); | ||
| } | ||
|
|
||
| TEST(PortRangeMatcher, PortRangeMatcher) { |
There was a problem hiding this comment.
Please add a short comment stating what the test validates.
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
| class PortRangeMatcher : public Matcher { | ||
| public: | ||
| PortRangeMatcher(const ::envoy::type::v3::Int32Range& range) | ||
| : start_(range.start()), end_(range.end()) {} |
There was a problem hiding this comment.
Arguably we should reject negative and OOB values here for ports.
There was a problem hiding this comment.
To validate the range of ports, we are better to add a validation rule in RBAC proto.
envoy/api/envoy/config/rbac/v3/rbac.proto
Lines 189 to 190 in f97bdf1
But the type type.v3.Int32Range does not have any validation rules, and only certain types have validation rules that is located in validate.proto, which belongs to another repo envoyproxy/protoc-gen-validate. As a result, we are not easy to reject invalid or illegal values.
In addition, type.v3.Int32Range is also used in destination port matching in listener filter, but the ListenerFilterDstPortMatcher does not check its input.
envoy/api/envoy/config/listener/v3/listener_components.proto
Lines 330 to 332 in f97bdf1
envoy/source/common/network/filter_matcher.h
Lines 40 to 46 in f97bdf1
So I think maybe we do not have to add a check?
There was a problem hiding this comment.
Yes, this is a limit of PGV annotations and proto typing, I don't think it can be done cleanly at the proto annotation level. I think both ListenerFilterDstPortMatcher and your code could share a common utility that at config ingestion time, checks the port range and throws if invalid; this is the next best thing.
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
|
/retest |
|
Retrying Azure Pipelines: |
|
/retest |
|
Retrying Azure Pipelines: |
Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
use one destination port range rule to cover thousands of port rules in RBAC permissions, adding convenience for writing configuration and making matching quicker Risk Level: Low Testing: Unit Docs Changes: N/A Release Notes: Added Platform Specific Features: N/A Fixes envoyproxy#16039 Signed-off-by: Xie Zhihao <zhihao.xie@intel.com>
4 participants
Signed-off-by: Xie Zhihao zhihao.xie@intel.com
Commit Message: rbac: add matching range of destination ports
Additional Description: use one destination port range rule to cover thousands of port rules in RBAC permissions, adding convenience for writing configuration and making matching quicker
Risk Level: Low
Testing: Unit
Docs Changes: N/A
Release Notes: Added
Platform Specific Features: N/A
Fixes #16039