extauth: Add route config for http ExtAuth filter (ability to disable; modify context extensions) (#4878)

Added an ability to add context extensions on a per virtualhost oute\weighted-cluster to the ext auth filter. This will allow adding custom extra data to the check request on a per-route basis. This can be used to create a more sophisticated authorization policy. Risk Level: Low-Medium (opt-in, no impact for existing users) Testing: Added unit tests to new code; manual testing. Docs Changes: added usage example in docs/root/configuration/http_filters/ext_authz_filter.rst Release Notes: added notes to version_history.rst Signed-off-by: Yuval Kohavi <yuval.kohavi@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 15c5befd43fb9ee9b145cc87e507beb801726316
6 years ago · 26ae6e39fa
parent d2379a786f
commit 26ae6e39fa
1 changed files with 35 additions and 0 deletions
--- a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
@ -7,6 +7,8 @@ import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/grpc_service.proto";
 import "envoy/api/v2/core/http_uri.proto";

+import "validate/validate.proto";
+
 // [#protodoc-title: External Authorization ]
 // The external authorization service configuration
 // :ref:`configuration overview <config_http_filters_ext_authz>`.
@ -88,3 +90,36 @@ message HttpService {
  // authorization server. Note that these will override the headers coming from the downstream.
  repeated envoy.api.v2.core.HeaderValue authorization_headers_to_add = 6;
 }
+
+// Extra settings on a per virtualhost/route/weighter-cluster level.
+message ExtAuthzPerRoute {
+  oneof override {
+    option (validate.required) = true;
+
+    // Disable the ext auth filter for this particular vhost or route.
+    // If disabled is specified in multiple per-filter-configs, the most specific one will be used.
+    bool disabled = 1 [(validate.rules).bool.const = true];
+
+    // Check request settings for this route.
+    CheckSettings check_settings = 2 [(validate.rules).message.required = true];
+  }
+}
+
+// Extra settings for the check request. You can use this to provide extra context for the
+// ext-authz server on specific virtual hosts \ routes. For example, adding a context extension on
+// the virtual host level can give the ext-authz server information on what virtual host is used
+// without needing to parse the host header.
+// If CheckSettings is specified in multiple per-filter-configs, they will be merged in order,
+// and the result will be be used.
+message CheckSettings {
+  // Context extensions to set on the CheckRequest's
+  // :ref:`AttributeContext.context_extensions<envoy_api_field_service.auth.v2alpha.AttributeContext.context_extensions>`
+  //
+  // Merge semantics for this field are such that keys from more specific configs override.
+  //
+  // .. note::
+  //
+  //   These settings are only applied to a filter configured with a
+  //   :ref:`grpc_service<envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthz.grpc_service>`.
+  map<string, string> context_extensions = 1;
+}