Return 503 from ext_authz on network failures

[hanyu-liu]

Description: Return 503 from ext_authz on network failures

Risk Level: Low
Testing: CI
Docs Changes: n/a
Release Notes: n/a

Discussion thread: #6119

[dio]

@hanyu-liu thanks for this, but I think you need to put this in the doc too? WDYT @gsagula?

[gsagula]

@hanyu-liu Thanks for this contribution. It looks good overall.

[gsagula]

Just one minor comment based on our conversation in GH issues.

[gsagula]

As per our conversation in GH, please make ServiceUnavailable configurable and default it to false. This way we avoid breaking changes.

[hanyu-liu]

Ah... I thought you said it's okay to hard code 502 as the response :) Seems it's getting more complex than what I thought.

Any idea on the name of the configuration? Any guidance/docs on introducing new configs?

[gsagula]

Sorry, I misread your last comment about hardcode the status. Unfortunatelly, we can't do that. I think something like status_code_on_error, and then let the user decide which status they want would be sufficient.
Normally, the filter config is done here:

envoy/api/envoy/config/filter/http/ext_authz/v2/ext_authz.proto

Line 20 in 741df7a

message ExtAuthz {

[hanyu-liu]

Thanks for the pointer. I searched for the code of "use_alpha" in "ext_authz" - seems a little bit complex. Do you mind working on top of the current change? I'm more than happy to code review your change. @gsagula

[gsagula]

I wouldn't mind doing it, but I can't promise when I will have time.

[hanyu-liu]

Cool! We are blocked by this while integrating Envoy with our (Twilio) gateway. Your help is greatly appreciated!

[hanyu-liu]

@gsagula do you actually think an enum can work well for status_code_on_error? Don't want users to abuse the system by returning like 200, when the ext_authz is down.

[enbohm]

Does this only apply for gRPC authorization servers? I kind of have the same issue but for HTTP authorization servers, would really like to have a proper error code when auth. requests are failing and not a 403 (this issue/question is related to this #5974)

[hanyu-liu]

Does this only apply for gRPC authorization servers? I kind of have the same issue but for HTTP authorization servers, would really like to have a proper error code when auth. requests are failing and not a 403 (this issue/question is related to this #5974)

This fix only applies to gRPC. But I can see the same issue for http.

[gsagula]

@dio It seems that the contributor is not able to finish the PR. I'm not sure what is the procedure here. I can look into this issue when I finish some other Datawire priorities, but it's hard to tell when.

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[hanyu-liu]

@dio @gsagula any updates on it?

[stale]

This pull request has been automatically marked as stale because it has not had activity in the last 7 days. It will be closed in 7 days if no further activity occurs. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!

[stale]

This pull request has been automatically closed because it has not had activity in the last 14 days. Please feel free to give a status update now, ping for review, or re-open when it's ready. Thank you for your contributions!