ext_authz: add dynamic_metadata_matchers and use them in the ext_authz HTTP implementation (#17895)

This allows for dynamic metadata when using an HTTP authorization service. Currently, it is only possible to set dynamic metadata using a gRPC authorization service. Risk Level: low, new opt-in feature in an extension Testing: unit tests Docs Changes: proto definitions documented Release Notes: ext_authz: added :ref:dynamic_metadata_from_headers <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.dynamic_metadata_from_headers> to support emitting dynamic metadata from headers returned by an external authorization service via HTTP. Signed-off-by: John Esmet <john.esmet@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 31f48ee7a3c32ed383b46c8940263af9dc9bdcd4
3 years ago · 547e1f7432
parent 06d7cd1e7d
commit 547e1f7432
1 changed files with 10 additions and 0 deletions
--- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@ -244,6 +244,7 @@ message AuthorizationRequest {
  repeated config.core.v3.HeaderValue headers_to_add = 2;
 }

+// [#next-free-field: 6]
 message AuthorizationResponse {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.ext_authz.v2.AuthorizationResponse";
@ -270,6 +271,15 @@ message AuthorizationResponse {
  // the authorization response itself is successful, i.e. not failed or denied. When this list is
  // *not* set, no additional headers will be added to the client's response on success.
  type.matcher.v3.ListStringMatcher allowed_client_headers_on_success = 4;
+
+  // When this :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>` is set, authorization
+  // response headers that have a correspondent match will be emitted as dynamic metadata to be consumed
+  // by the next filter. This metadata lives in a namespace specified by the canonical name of extension filter
+  // that requires it:
+  //
+  // - :ref:`envoy.filters.http.ext_authz <config_http_filters_ext_authz_dynamic_metadata>` for HTTP filter.
+  // - :ref:`envoy.filters.network.ext_authz <config_network_filters_ext_authz_dynamic_metadata>` for network filter.
+  type.matcher.v3.ListStringMatcher dynamic_metadata_from_headers = 5;
 }

 // Extra settings on a per virtualhost/route/weighted-cluster level.