Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
[READ ONLY MIRROR] Envoy REST/proto API definitions and documentation. (grpc依赖)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2959 Commits
2 Branches
0 Tags
17 MiB
Tag: Branch: Tree: d9e9e509a4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'd9e9e509a4'
${ noResults }
data-plane-api/envoy/service/redis_auth/v3/redis_external_auth.proto

48 lines
1.6 KiB
Raw Normal View History Unescape

redis_proxy: add support for external authentication (#35643) resolves #35673 ## PR overview Redis proxy users may want to create advanced authentication methods. For example, the official [Azure SDK extension for Redis](https://github.com/Azure/Microsoft.Azure.StackExchangeRedis) allows to authenticate to a Redis server using Microsoft Entra ID token-based authentication, by passing a token in the password argument of the `AUTH` command periodically, based on token expiration. This PR introduces a way to support external authentication via a gRPC service with additional support for expiry of such authentication (e.g. for token-based authentication). This way we keep it extensible for **any** advanced authentication methods users might want to develop. ### The reviewer may ask: Why not use the _ext_authz_ filter? The cost/latency impact by using the _ext_authz_ filter is much bigger than the proposed design. That's because instead of being called on every request, the current design only calls the external dependency on **AUTH** commands. Not only that, but also we would have to decode the Redis protocol twice, if we used a separate filter. --- Risk Level: Medium (small optional feature added to existing filter) Testing: ✅ - Unit Tests - Integration Tests - Manual Testing ![image](https://github.com/user-attachments/assets/3caab358-7c37-446d-8e12-bff9c1442948) - Also, we are already using the signed _-dev_ build on a test AKS cluster Docs Changes: ✅ - Proto docs ![image](https://github.com/user-attachments/assets/1432114f-ff93-431a-90ad-1c1262989e8c) - Updated authentication-related information on the Redis protocol page. Release Notes: ✅ --------- Signed-off-by: Diogo Barbosa <diogobarbosa@microsoft.com> Signed-off-by: Diogo Barbosa <pessoal.dbarbosa@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 67b69c9038402b88953a2ab171ae38cab5cb23ab
3 months ago
syntax = "proto3";
package envoy.service.redis_auth.v3;
import "google/protobuf/timestamp.proto";
import "google/rpc/status.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.service.redis_auth.v3";
option java_outer_classname = "RedisExternalAuthProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/redis_auth/v3;redis_authv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Redis external authentication service]
// The messages used by the redis_proxy filter when performing external authentication.
// A generic interface for performing external password authentication on incoming AUTH commands.
service RedisProxyExternalAuth {
// Performs authentication check based on the data sent with the AUTH request.
// Returns either an OK status or an error status.
rpc Authenticate(RedisProxyExternalAuthRequest) returns (RedisProxyExternalAuthResponse) {
}
}
message RedisProxyExternalAuthRequest {
// Username, if applicable. Otherwise, empty.
string username = 1;
// Password sent with the AUTH command.
string password = 2;
}
message RedisProxyExternalAuthResponse {
// Status of the authentication check.
google.rpc.Status status = 1;
// Optional expiration time for the authentication.
// If set, the authentication will be valid until this time.
// If not set, the authentication will be valid indefinitely.
google.protobuf.Timestamp expiration = 2;
// Optional message to be sent back to the client.
string message = 3;
}