extauth: Add route config for http ExtAuth filter (ability to disable; modify context extensions) (#4878)

Added an ability to add context extensions on a per virtualhost oute\weighted-cluster to the ext auth filter. This will allow adding custom extra data to the check request on a per-route basis. This can be used to create a more sophisticated authorization policy. Risk Level: Low-Medium (opt-in, no impact for existing users) Testing: Added unit tests to new code; manual testing. Docs Changes: added usage example in docs/root/configuration/http_filters/ext_authz_filter.rst Release Notes: added notes to version_history.rst Signed-off-by: Yuval Kohavi <yuval.kohavi@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 15c5befd43fb9ee9b145cc87e507beb801726316
6 years ago · 26ae6e39fa
parent d2379a786f
commit 26ae6e39fa
1 changed files with 35 additions and 0 deletions
--- a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
@ -7,6 +7,8 @@ import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/grpc_service.proto";
 import "envoy/api/v2/core/http_uri.proto";
 import "validate/validate.proto";
 // [#protodoc-title: External Authorization ]
 // The external authorization service configuration
 // :ref:`configuration overview <config_http_filters_ext_authz>`.
@ -88,3 +90,36 @@ message HttpService {
  // authorization server. Note that these will override the headers coming from the downstream.
  repeated envoy.api.v2.core.HeaderValue authorization_headers_to_add = 6;
 }
 // Extra settings on a per virtualhost/route/weighter-cluster level.
 message ExtAuthzPerRoute {
  oneof override {
    option (validate.required) = true;
    // Disable the ext auth filter for this particular vhost or route.
    // If disabled is specified in multiple per-filter-configs, the most specific one will be used.
    bool disabled = 1 [(validate.rules).bool.const = true];
    // Check request settings for this route.
    CheckSettings check_settings = 2 [(validate.rules).message.required = true];
  }
 }
 // Extra settings for the check request. You can use this to provide extra context for the
 // ext-authz server on specific virtual hosts \ routes. For example, adding a context extension on
 // the virtual host level can give the ext-authz server information on what virtual host is used
 // without needing to parse the host header.
 // If CheckSettings is specified in multiple per-filter-configs, they will be merged in order,
 // and the result will be be used.
 message CheckSettings {
  // Context extensions to set on the CheckRequest's
  // :ref:`AttributeContext.context_extensions<envoy_api_field_service.auth.v2alpha.AttributeContext.context_extensions>`
  //
  // Merge semantics for this field are such that keys from more specific configs override.
  //
  // .. note::
  //
  //   These settings are only applied to a filter configured with a
  //   :ref:`grpc_service<envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthz.grpc_service>`.
  map<string, string> context_extensions = 1;
 }