ext_authz: do the authentication even the direct response is set#17546
Merged
mattklein123 merged 10 commits intoenvoyproxy:mainfrom Aug 10, 2021
Merged
ext_authz: do the authentication even the direct response is set#17546mattklein123 merged 10 commits intoenvoyproxy:mainfrom
mattklein123 merged 10 commits intoenvoyproxy:mainfrom
Conversation
Member
Author
|
/wait waiting for #17449 merged |
dmitri-d
reviewed
Jul 30, 2021
Contributor
There was a problem hiding this comment.
Wouldn't this affect redirects too? Not sure if these be passed to ext_authz?
Member
Author
There was a problem hiding this comment.
thanks for the good point, I tested the redirect case, this change affect it.
@mattklein123 WDYT?
Member
There was a problem hiding this comment.
Yeah I think it's correct to fix redirect also. You might want to rename the runtime flag and update the release notes?
/wait
mattklein123
requested changes
Aug 6, 2021
Member
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks LGTM with a small comment. Also needs a main merge.
If you are able to test a redirect case that would be great also.
/wait
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Co-authored-by: Matt Klein <mattklein123@gmail.com> Signed-off-by: He Jie Xu <hejie.xu@intel.com> Signed-off-by: xuhj <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Member
Author
I added integration test for redirect and direct response case. The unittest cover those two cases since both of them return empty routeEntry |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
mattklein123
requested changes
Aug 9, 2021
Member
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Awesome, thanks. Sorry just one more release note nit.
/wait
| * access log: fix ``%UPSTREAM_CLUSTER%`` when used in http upstream access logs. Previously, it was always logging as an unset value. | ||
| * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentaion <https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html>`_. | ||
| * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false. | ||
| * ext_authz: fixed skipping authentication when using returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. |
Member
There was a problem hiding this comment.
Suggested change
| * ext_authz: fixed skipping authentication when using returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. | |
| * ext_authz: fixed skipping authentication when returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
Member
|
Sorry I think you need another main merge. :( /wait |
Member
Author
haha, no worries, let me do a main merge |
Signed-off-by: He Jie Xu <hejie.xu@intel.com>
mattklein123
approved these changes
Aug 10, 2021
ggreenway
reviewed
Aug 10, 2021
| * access log: fix ``%UPSTREAM_CLUSTER%`` when used in http upstream access logs. Previously, it was always logging as an unset value. | ||
| * aws request signer: fix the AWS Request Signer extension to correctly normalize the path and query string to be signed according to AWS' guidelines, so that the hash on the server side matches. See `AWS SigV4 documentaion <https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html>`_. | ||
| * cluster: delete pools when they're idle to fix unbounded memory use when using PROXY protocol upstream with tcp_proxy. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.conn_pool_delete_when_idle`` runtime guard to false. | ||
| * ext_authz: fixed skipping authentication when returning either a direct response or a redirect. This behavior can be temporarily reverted by setting the ``envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response_and_redirect`` runtime guard to false. |
Member
There was a problem hiding this comment.
I think this should also be mentioned in "incompatible behavior changes". This behavior has been present for at least a few years, and I know some people are relying on the old behavior.
Member
Author
There was a problem hiding this comment.
that make sense, I can move it.
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 11, 2021
* main: (687 commits) ci: set build debug information from env (envoyproxy#17635) ext_authz: do the authentication even the direct response is set (envoyproxy#17546) upstream: various cleanups in connection pool code (envoyproxy#17644) owners: promote Dmitry to maintainer (envoyproxy#17642) quiche: client session supports creating bidi stream (envoyproxy#17543) Update HTTP/2 METADATA documentation. (envoyproxy#17637) ext_proc: Check validity of the :status header (envoyproxy#17596) test: add ASSERT indicating that gRPC stream has not been started yet (envoyproxy#17614) ensure that the inline cookie header will be folded correctly (envoyproxy#17560) cluster_manager: Make ClusterEntry a class instead of a struct (envoyproxy#17616) owners: make Raúl a Thrift senior extension maintainer (envoyproxy#17641) quiche: update QUICHE dependency (envoyproxy#17618) Delete mock for removed RouteEntry::perFilterConfig() method (envoyproxy#17623) REPO_LAYOUT.md: fix outdated link (envoyproxy#17626) hcm: forbid use of detection extensions with use_remote_addr/xff_num_trusted_hops (envoyproxy#17558) thrift proxy: add request shadowing support (envoyproxy#17544) ext_proc: Ensure that timer is always cancelled (envoyproxy#17569) Proposal: Add CachePolicy interface to allow for custom cache behavior (envoyproxy#17362) proto: fix verify to point at v3 only (envoyproxy#17622) api: move generic matcher proto to its own package (envoyproxy#17096) ...
mpuncel
added a commit
to mpuncel/envoy
that referenced
this pull request
Aug 16, 2021
* main: (687 commits) ci: set build debug information from env (envoyproxy#17635) ext_authz: do the authentication even the direct response is set (envoyproxy#17546) upstream: various cleanups in connection pool code (envoyproxy#17644) owners: promote Dmitry to maintainer (envoyproxy#17642) quiche: client session supports creating bidi stream (envoyproxy#17543) Update HTTP/2 METADATA documentation. (envoyproxy#17637) ext_proc: Check validity of the :status header (envoyproxy#17596) test: add ASSERT indicating that gRPC stream has not been started yet (envoyproxy#17614) ensure that the inline cookie header will be folded correctly (envoyproxy#17560) cluster_manager: Make ClusterEntry a class instead of a struct (envoyproxy#17616) owners: make Raúl a Thrift senior extension maintainer (envoyproxy#17641) quiche: update QUICHE dependency (envoyproxy#17618) Delete mock for removed RouteEntry::perFilterConfig() method (envoyproxy#17623) REPO_LAYOUT.md: fix outdated link (envoyproxy#17626) hcm: forbid use of detection extensions with use_remote_addr/xff_num_trusted_hops (envoyproxy#17558) thrift proxy: add request shadowing support (envoyproxy#17544) ext_proc: Ensure that timer is always cancelled (envoyproxy#17569) Proposal: Add CachePolicy interface to allow for custom cache behavior (envoyproxy#17362) proto: fix verify to point at v3 only (envoyproxy#17622) api: move generic matcher proto to its own package (envoyproxy#17096) ... Signed-off-by: Michael Puncel <mpuncel@squareup.com>
leyao-daily
pushed a commit
to leyao-daily/envoy
that referenced
this pull request
Sep 30, 2021
…oyproxy#17546) Signed-off-by: He Jie Xu <hejie.xu@intel.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Commit Message: ext_authz: do the authentication even the direct response is set
Additional Description:
This PR fixed the case the authentication will be skipped when the direct response is set.
And add the runtime flag
envoy.reloadable_features.http_ext_authz_do_not_skip_direct_responseto enable therevert of this behavior.
Also fix the merge config behavior, ensure the virtual host's typed config will be merged when
the direct response is set.
Risk Level: low
Testing: unittest
Docs Changes: n/a
Release Notes: bug fixes note
Runtime guard: envoy.reloadable_features.http_ext_authz_do_not_skip_direct_response
Fixes #17502
Related to #17377
Signed-off-by: He Jie Xu hejie.xu@intel.com