Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

bug_fix: modified HTTP and gRPC clients to support response status on client error (#4199)

Browse Source 
Ext_Authz HTTP client has been modified so that 5xx errors received from the authorization server will set the filter response status to error instead of denied and HTTP status code field to Forbidden. The gRPC client has been also modified in order to return HTTP status code Forbidden whenever an error between the client and the authorization server occurs.

Risk Level: low
Testing: unit tests, manual tests.
Docs Changes: not needed.
Fixes issue: #4124.

Signed-off-by: Gabriel <gsagula@gmail.com>

Mirrored from https://github.com/envoyproxy/envoy @ d646949e0534557084196dea850c26599e53f1b8
pull/620/head
data-plane-api(CircleCI) 6 years ago
parent 033eb6ab9b
commit 76a6a891fb
1 changed files with 17 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 21
      envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto

21
envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
Unescape View File

@ -32,7 +32,7 @@ message ExtAuthz {
// The filter's behaviour in case the external authorization service does // The filter's behaviour in case the external authorization service does
// not respond back. When it is set to true, Envoy will also allow traffic in case of // not respond back. When it is set to true, Envoy will also allow traffic in case of
// communication failure between authorization service and the proxy. // an error occurs during the authorization process.
// Defaults to false. // Defaults to false.
bool failure_mode_allow = 2; bool failure_mode_allow = 2;
} }
@ -46,10 +46,23 @@ message ExtAuthz {
// in the authorization response should be sent to the upstream. See *allowed_authorization_headers* // in the authorization response should be sent to the upstream. See *allowed_authorization_headers*
// bellow. // bellow.
// //
// A failed check will cause this filter to close the HTTP request normally with 403 (Forbidden), // A failed check will cause this filter to close the HTTP request with 403 (Forbidden),
// unless a different status code has been indicated by the authorization server via response // unless a different status code has been indicated by the authorization server via response
// headers. If other headers in the authorization response need to be sent to client, this can also // headers.
// be done by specifying them in *allowed_authorization_headers*. //
// If an error happens during the checking process, two situations may occur depending on the
// filter's configuration:
//
// 1. When *failure_mode_allow* is true, traffic will be allowed in the presence of an error. This
// includes any of the HTTP 5xx errors, or a communication failure between the filter and the
// authorization server.
// 2. When *failure_mode_allow* is false, the filter will *always* return a *Forbidden response* to
// the client. It will *not allow* traffic to the upstream in the presence of an error. This
// includes any of the HTTP 5xx errors, or a communication failure between the filter and the
// authorization server.
//
// Note that filter will produce stats on error. See *Statistics* at :ref:`configuration overview
// <config_http_filters_ext_authz>`.
message HttpService { message HttpService {
// Sets the HTTP server URI which the authorization requests must be sent to. // Sets the HTTP server URI which the authorization requests must be sent to.
envoy.api.v2.core.HttpUri server_uri = 1; envoy.api.v2.core.HttpUri server_uri = 1;

Write Preview
Loading…
Cancel
Save