data-plane-api/envoy/service/auth/v2alpha/external_auth.proto

syntax = "proto3";

package envoy.service.auth.v2alpha;
option go_package = "v2alpha";
option java_generic_services = true;

import "envoy/api/v2/core/base.proto";
import "envoy/type/http_status.proto";
import "envoy/service/auth/v2alpha/attribute_context.proto";

import "google/rpc/status.proto";
import "validate/validate.proto";

// [#protodoc-title: Authorization Service ]

// The authorization service request messages used by external authorization :ref:`network filter
// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`.

// A generic interface for performing authorization check on incoming
// requests to a networked service.
service Authorization {
  // Performs authorization check based on the attributes associated with the
  // incoming request, and returns status `OK` or not `OK`.
  rpc Check(CheckRequest) returns (CheckResponse);
}

message CheckRequest {
  // The request attributes.
  AttributeContext attributes = 1;
}

// HTTP attributes for a denied response.
message DeniedHttpResponse {
  // This field allows the authorization service to send a HTTP response status
  // code to the downstream client other than 403 (Forbidden).
  envoy.type.HttpStatus status = 1 [(validate.rules).message.required = true];

  // This field allows the authorization service to send HTTP response headers
  // to the the downstream client.
  repeated envoy.api.v2.core.HeaderValueOption headers = 2;

  // This field allows the authorization service to send a response body data
  // to the the downstream client.
  string body = 3;
}

// HTTP attributes for an ok response.
message OkHttpResponse {
  // HTTP entity headers in addition to the original request headers. This allows the authorization
  // service to append, to add or to override headers from the original request before
  // dispatching it to the upstream. By setting `append` field to `true` in the `HeaderValueOption`,
  // the filter will append the correspondent header value to the matched request header. Note that
  // by Leaving `append` as false, the filter will either add a new header, or override an existing
  // one if there is a match.
  repeated envoy.api.v2.core.HeaderValueOption headers = 2;
}

// Intended for gRPC and Network Authorization servers `only`.
message CheckResponse {
  // Status `OK` allows the request. Any other status indicates the request should be denied.
  google.rpc.Status status = 1;

  // An message that contains HTTP response attributes. This message is
  // used when the authorization service needs to send custom responses to the
  // downstream client or, to modify/add request headers being dispatched to the upstream.
  oneof http_response {
    // Supplies http attributes for a denied response.
    DeniedHttpResponse denied_response = 2;

    // Supplies http attributes for an ok response.
    OkHttpResponse ok_response = 3;
  }
}
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago			`syntax = "proto3";`

authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com> 7 years ago			`package envoy.service.auth.v2alpha;`
			`option go_package = "v2alpha";`
Add java_generic_services option to service proto files (#516) This enables generating generic service stubs for all the data-plane-api proto services when generating Java classes with protoc. This is generally not needed when implementing a gRPC server but in our case we're implementing it behind our legacy protobuf RPC framework which rely on these stubs. As far as I know the only negative with enabling these is generating some potentially unnecessary Java classes. Signed-off-by: Snow Pettersen <snowp@squareup.com> 7 years ago			`option java_generic_services = true;`
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`import "envoy/api/v2/core/base.proto";`
			`import "envoy/type/http_status.proto";`
authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com> 7 years ago			`import "envoy/service/auth/v2alpha/attribute_context.proto";`
Split base API package into sub-packages (#421) Signed-off-by: Kuat Yessenov <kuat@google.com> 7 years ago
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago			`import "google/rpc/status.proto";`
authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com> 7 years ago			`import "validate/validate.proto";`
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago
Add documentation for external authorization filter. (#3379) Signed-off-by: Saurabh Mohan <saurabh+github@tigera.io> Mirrored from https://github.com/envoyproxy/envoy @ a2abe7a4fae83cc2ad45700e59f4be52cbd3baac 7 years ago			`// [#protodoc-title: Authorization Service ]`

			// The authorization service request messages used by external authorization :ref:`network filter
			// <config_network_filters_ext_authz>` and :ref:`HTTP filter <config_http_filters_ext_authz>`.

Improve documentation to the AttributeContext (#366) Signed-off-by: Hong Zhang <wora2000@gmail.com> 7 years ago			`// A generic interface for performing authorization check on incoming`
			`// requests to a networked service.`
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago			`service Authorization {`
Improve documentation to the AttributeContext (#366) Signed-off-by: Hong Zhang <wora2000@gmail.com> 7 years ago			`// Performs authorization check based on the attributes associated with the`
			// incoming request, and returns status `OK` or not `OK`.
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago			`rpc Check(CheckRequest) returns (CheckResponse);`
			`}`

			`message CheckRequest {`
			`// The request attributes.`
			`AttributeContext attributes = 1;`
			`}`

authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`// HTTP attributes for a denied response.`
			`message DeniedHttpResponse {`
			`// This field allows the authorization service to send a HTTP response status`
			`// code to the downstream client other than 403 (Forbidden).`
			`envoy.type.HttpStatus status = 1 [(validate.rules).message.required = true];`

			`// This field allows the authorization service to send HTTP response headers`
			`// to the the downstream client.`
			`repeated envoy.api.v2.core.HeaderValueOption headers = 2;`
format: run clang-format on protos again (#3811) I think this broke in a recent refactor. Signed-off-by: Matt Klein <mklein@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 866597fcb8cc3cdd53a767d66755506036261f3c 6 years ago
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`// This field allows the authorization service to send a response body data`
			`// to the the downstream client.`
			`string body = 3;`
			`}`

			`// HTTP attributes for an ok response.`
			`message OkHttpResponse {`
format: run clang-format on protos again (#3811) I think this broke in a recent refactor. Signed-off-by: Matt Klein <mklein@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 866597fcb8cc3cdd53a767d66755506036261f3c 6 years ago			`// HTTP entity headers in addition to the original request headers. This allows the authorization`
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`// service to append, to add or to override headers from the original request before`
			// dispatching it to the upstream. By setting `append` field to `true` in the `HeaderValueOption`,
format: run clang-format on protos again (#3811) I think this broke in a recent refactor. Signed-off-by: Matt Klein <mklein@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 866597fcb8cc3cdd53a767d66755506036261f3c 6 years ago			`// the filter will append the correspondent header value to the matched request header. Note that`
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			// by Leaving `append` as false, the filter will either add a new header, or override an existing
			`// one if there is a match.`
			`repeated envoy.api.v2.core.HeaderValueOption headers = 2;`
			`}`

			// Intended for gRPC and Network Authorization servers `only`.
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago			`message CheckResponse {`
			// Status `OK` allows the request. Any other status indicates the request should be denied.
			`google.rpc.Status status = 1;`
authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com> 7 years ago
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`// An message that contains HTTP response attributes. This message is`
authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com> 7 years ago			`// used when the authorization service needs to send custom responses to the`
			`// downstream client or, to modify/add request headers being dispatched to the upstream.`
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`oneof http_response {`
			`// Supplies http attributes for a denied response.`
			`DeniedHttpResponse denied_response = 2;`
format: run clang-format on protos again (#3811) I think this broke in a recent refactor. Signed-off-by: Matt Klein <mklein@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 866597fcb8cc3cdd53a767d66755506036261f3c 6 years ago
authz_filter: extended ext_authz to support v2alpha api (#3162) This PR extends the current Ext_Authz filter to allow optional HTTP attributes being passed from the Authorization service down to client or, to the upstream services. I would like to get some feedback on the changes to the current gRPC async client and filter before moving to implementation of HTTP part of this extension and tests. *issue: #2828 Risk Level: Medium Testing: Manual, unit testing. Docs Changes: envoyproxy/data-plane-api#563 Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 5244597e93c70b4945c03a9fc55f8924a2da6fbc 7 years ago			`// Supplies http attributes for an ok response.`
			`OkHttpResponse ok_response = 3;`
authz_filter: configuration to support Ambassador authorization flow (#563) This PR includes the necessary modifications in support of envoyproxy/envoy#2828. Added additional configuration to ext_authz.proto so that the filter is able to call an HTTP/1.1 authorization service. In external_auth.proto, added a nested message to CheckResponse that allows the authorization service to pass additional HTTP response attributes back to the authz filter. Signed-off-by: Gabriel <gsagula@gmail.com> 7 years ago			`}`
External auth filter2 (#296) Signed-off-by: Mandar U Jog <mjog@google.com> 7 years ago			`}`