Add tcp and http filters for external authorization service.#2359
Add tcp and http filters for external authorization service.#2359saumoh wants to merge 1 commit intoenvoyproxy:masterfrom colabsaumoh:ext-auth-review
Conversation
Signed-off-by: Saurabh Mohan <saurabh+github@tigera.io>
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Thanks for this very significant contribution. I'd like to ask two things to make the review work better:
-
Can you apply the general style feedback (and (re)read the Envoy style guide at https://github.com/envoyproxy/envoy/blob/master/STYLE.md) to the entire set of files?
-
Is it possible to break up this into at least 2 PRs? One for the gRPC client, and another for the auth filter? In general, we try to discourage such large PRs. Thanks.
| *proto_config.mutable_ip_white_list()); | ||
| } | ||
|
|
||
| void FilterJson::translateTcpExtAuthzFilter( |
There was a problem hiding this comment.
Do you need v1 configuration support? If not, please drop this as we're trying to deprecate v1.
There was a problem hiding this comment.
I am happy to remove it. It's useful in ut's though, like here
What it the recommended way of filling out the protobuf in UT's?
There was a problem hiding this comment.
There are some examples, e.g. see https://github.com/envoyproxy/envoy/blob/master/test/common/access_log/grpc_access_log_impl_test.cc for an example of a unit test that takes protobuf config. I don't think it's worth keeping just for unit tests, although admittedly a lot of the legacy examples do still use v1 JSON. Protobufs are easy to build programatticaly or via JSON/YAML parsing.
| ] | ||
| for t in sub_bind_targets: | ||
| native.bind( | ||
| name = "envoy_api_sub_" + t[0], |
There was a problem hiding this comment.
This is for config(s) under directory auth in data-plane-api
Need to be able to specify dependency on the proto's in that directory. for example here
I'll re-write it using the idioms already in place for filters.
| "//bazel:envoy_build_system.bzl", | ||
| "envoy_cc_library", | ||
| "envoy_package", | ||
| "envoy_proto_library", |
| namespace Envoy { | ||
| namespace ExtAuthz { | ||
|
|
||
| using envoy::api::v2::auth::CheckRequest; |
There was a problem hiding this comment.
using isn't allowed in headers by the style guide. It's also more readable IMHO to have the envoy::api::v2:: prefix in the type, indicating that this is a proto.
| /** | ||
| * An interface for creating ext_authz.proto (authorization) request. | ||
| */ | ||
| class CheckRequestGenIntf { |
There was a problem hiding this comment.
Hard to understand what this is from either the comment or type name. Please avoid abbreviations like Intf as they make readability more difficult.
| Ssl::Connection* ssl = | ||
| const_cast<Ssl::Connection*>(connection->ssl()); | ||
| if (ssl != nullptr) { | ||
| if (local == false) { |
| Envoy::Http::StreamDecoderFilterCallbacks *sdfc = const_cast<Envoy::Http::StreamDecoderFilterCallbacks *>(callbacks); | ||
| httpreq->set_id(std::to_string(sdfc->streamId())); | ||
|
|
||
| #define SET_HDR_IN_HTTPREQ(_hq, _api, mname) \ |
There was a problem hiding this comment.
Is there no other way to do this? Not a huge fan of macro magic (but it's OK if there's really no other way).
There was a problem hiding this comment.
Let me try to make it a function call.
| httpreq->set_protocol(proto2str(sdfc->requestInfo().protocol().value())); | ||
|
|
||
| // Fill in the headers | ||
| ::google::protobuf::Map< ::std::string, ::std::string >* mhdrs = httpreq->mutable_headers(); |
|
|
||
|
|
||
| AttributeContext_Request *req = new AttributeContext_Request(); | ||
| ASSERT(req); |
| void Instance::setCheckReqGen(CheckRequestGenIntf *crg) | ||
| { | ||
| ASSERT(crg_ == nullptr); | ||
| crg_ = CheckRequestGenIntfPtr{std::move(crg)}; |
There was a problem hiding this comment.
Please use meaningful field names.
|
@htuch thanks for the quick turn around. I'll followup on the style guide. Still learning and coming up to speed on the Envoy way. |
|
@saumoh please break into 3 PRs:
Thank you! |
|
sounds good. Will break it into 3. thx |
|
@htuch As i am breaking this into three pr's can u confirm if naming files |
|
Closing this PR and broken down the change set into three PR's: PS: Have incorporated the feedback here into the new PR's. |
|
@saumoh Thanks for the contribution. we want to use this to authenticate the request with another gRPC server. could you share the documentation or steps to use this filter,
|
|
@Dineshkumar-cse The proto definitions for the auth server, the tcp filter and http filter are defined in the data-plane-api repo. The http filters are configured under the |
|
@saumoh we've built the new envoy binary from But it errors out with the following, Is there anything else we're missing? |
|
@Dineshkumar-cse the filter's are under review still. |
As per the feedback on #2359 I am breaking it up into three PR's. The patch in this PR adds support for the TCP filter. This PR implements the discussing we had in #2291. Testing I have tested this on my local setup with an external gRPC authorization server. I have also added UT's for the TCP filter. Risk Low: Because only the users of this filter will be impacted. It should not impact general stability of Envoy it self. Signed-off-by: Saurabh Mohan <saurabh+github@tigera.io>
Authorization TCP and HTTP filters using an external gRPC service. Patch 2 of 3: HTTP filter. Description As per the feedback on #2359 I am breaking it up into three PR's. The patch in this PR adds support for the HTTP filter. This PR implements the discussing we had in #2291. Testing I have tested this on my local setup with an external gRPC authorization server. I have also added UT's for the HTTP filter. Risk Low: Because only the users of this filter will be impacted. It should not impact general stability of Envoy it self. Signed-off-by: Saurabh Mohan <saurabh+github@tigera.io>
* metric record and integration test * make test run * make circle pass * update go path * try fix prow * update sd filter and test * clean * remove direction from stackdriver config * cleanup comment * address comment * fix build * recover fake sd server * add test prefix to field name * update test config
Signed-off-by: Mike Schore <mike.schore@gmail.com> Signed-off-by: JP Simard <jp@jpsim.com>
Signed-off-by: Mike Schore <mike.schore@gmail.com> Signed-off-by: JP Simard <jp@jpsim.com>
4 participants
Title
Support TCP and HTTP filter for external authorization service.
Description
Add support for filters for authorization by an external gRPC based authorization service. This PR implements the discussing we had in #2291.
Testing
I have tested this on my local setup with an external gRPC authorization server. I have also added UT's for both the http and tcp filters.
Risk
Low: Because only the users of this filter will be impacted. It should not impact general stability of Envoy it self.
Caveats
data-plane-apirepo.Notes to Reviewer
filter_configis being used in the fileserver/config/http/ext_auth.cc