From 76a6a891fbdf9197ed77ca5f8064ee17b6093d5a Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Mon, 17 Sep 2018 15:38:28 +0000 Subject: [PATCH] bug_fix: modified HTTP and gRPC clients to support response status on client error (#4199) Ext_Authz HTTP client has been modified so that 5xx errors received from the authorization server will set the filter response status to error instead of denied and HTTP status code field to Forbidden. The gRPC client has been also modified in order to return HTTP status code Forbidden whenever an error between the client and the authorization server occurs. Risk Level: low Testing: unit tests, manual tests. Docs Changes: not needed. Fixes issue: #4124. Signed-off-by: Gabriel Mirrored from https://github.com/envoyproxy/envoy @ d646949e0534557084196dea850c26599e53f1b8 --- .../http/ext_authz/v2alpha/ext_authz.proto | 21 +++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto index 2e3297f8..67e49280 100644 --- a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto +++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto @@ -32,7 +32,7 @@ message ExtAuthz { // The filter's behaviour in case the external authorization service does // not respond back. When it is set to true, Envoy will also allow traffic in case of - // communication failure between authorization service and the proxy. + // an error occurs during the authorization process. // Defaults to false. bool failure_mode_allow = 2; } @@ -46,10 +46,23 @@ message ExtAuthz { // in the authorization response should be sent to the upstream. See *allowed_authorization_headers* // bellow. // -// A failed check will cause this filter to close the HTTP request normally with 403 (Forbidden), +// A failed check will cause this filter to close the HTTP request with 403 (Forbidden), // unless a different status code has been indicated by the authorization server via response -// headers. If other headers in the authorization response need to be sent to client, this can also -// be done by specifying them in *allowed_authorization_headers*. +// headers. +// +// If an error happens during the checking process, two situations may occur depending on the +// filter's configuration: +// +// 1. When *failure_mode_allow* is true, traffic will be allowed in the presence of an error. This +// includes any of the HTTP 5xx errors, or a communication failure between the filter and the +// authorization server. +// 2. When *failure_mode_allow* is false, the filter will *always* return a *Forbidden response* to +// the client. It will *not allow* traffic to the upstream in the presence of an error. This +// includes any of the HTTP 5xx errors, or a communication failure between the filter and the +// authorization server. +// +// Note that filter will produce stats on error. See *Statistics* at :ref:`configuration overview +// `. message HttpService { // Sets the HTTP server URI which the authorization requests must be sent to. envoy.api.v2.core.HttpUri server_uri = 1;