diff --git a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto index 2e3297f8..67e49280 100644 --- a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto +++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto @@ -32,7 +32,7 @@ message ExtAuthz { // The filter's behaviour in case the external authorization service does // not respond back. When it is set to true, Envoy will also allow traffic in case of - // communication failure between authorization service and the proxy. + // an error occurs during the authorization process. // Defaults to false. bool failure_mode_allow = 2; } @@ -46,10 +46,23 @@ message ExtAuthz { // in the authorization response should be sent to the upstream. See *allowed_authorization_headers* // bellow. // -// A failed check will cause this filter to close the HTTP request normally with 403 (Forbidden), +// A failed check will cause this filter to close the HTTP request with 403 (Forbidden), // unless a different status code has been indicated by the authorization server via response -// headers. If other headers in the authorization response need to be sent to client, this can also -// be done by specifying them in *allowed_authorization_headers*. +// headers. +// +// If an error happens during the checking process, two situations may occur depending on the +// filter's configuration: +// +// 1. When *failure_mode_allow* is true, traffic will be allowed in the presence of an error. This +// includes any of the HTTP 5xx errors, or a communication failure between the filter and the +// authorization server. +// 2. When *failure_mode_allow* is false, the filter will *always* return a *Forbidden response* to +// the client. It will *not allow* traffic to the upstream in the presence of an error. This +// includes any of the HTTP 5xx errors, or a communication failure between the filter and the +// authorization server. +// +// Note that filter will produce stats on error. See *Statistics* at :ref:`configuration overview +// `. message HttpService { // Sets the HTTP server URI which the authorization requests must be sent to. envoy.api.v2.core.HttpUri server_uri = 1;