bug_fix: modified HTTP and gRPC clients to support response status on client error (#4199)

Ext_Authz HTTP client has been modified so that 5xx errors received from the authorization server will set the filter response status to error instead of denied and HTTP status code field to Forbidden. The gRPC client has been also modified in order to return HTTP status code Forbidden whenever an error between the client and the authorization server occurs. Risk Level: low Testing: unit tests, manual tests. Docs Changes: not needed. Fixes issue: #4124. Signed-off-by: Gabriel <gsagula@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ d646949e0534557084196dea850c26599e53f1b8
6 years ago · 76a6a891fb
parent 033eb6ab9b
commit 76a6a891fb
1 changed files with 17 additions and 4 deletions
--- a/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto
@ -32,7 +32,7 @@ message ExtAuthz {

  // The filter's behaviour in case the external authorization service does
  // not respond back. When it is set to true, Envoy will also allow traffic in case of
-  // communication failure between authorization service and the proxy.
+  // an error occurs during the authorization process.
  // Defaults to false.
  bool failure_mode_allow = 2;
 }
@ -46,10 +46,23 @@ message ExtAuthz {
 // in the authorization response should be sent to the upstream. See *allowed_authorization_headers*
 // bellow.
 //
-// A failed check will cause this filter to close the HTTP request normally with 403 (Forbidden),
+// A failed check will cause this filter to close the HTTP request with 403 (Forbidden),
 // unless a different status code has been indicated by the authorization server via response
-// headers. If other headers in the authorization response need to be sent to client, this can also
-// be done by specifying them in *allowed_authorization_headers*.
+// headers.
+//
+// If an error happens during the checking process, two situations may occur depending on the
+// filter's configuration:
+//
+//  1. When *failure_mode_allow* is true, traffic will be allowed in the presence of an error. This
+//     includes any of the HTTP 5xx errors, or a communication failure between the filter and the
+//     authorization server.
+//  2. When *failure_mode_allow* is false, the filter will *always* return a *Forbidden response* to
+//     the client. It will *not allow* traffic to the upstream in the presence of an error. This
+//     includes any of the HTTP 5xx errors, or a communication failure between the filter and the
+//     authorization server.
+//
+// Note that filter will produce stats on error. See *Statistics* at :ref:`configuration overview
+// <config_http_filters_ext_authz>`.
 message HttpService {
  // Sets the HTTP server URI which the authorization requests must be sent to.
  envoy.api.v2.core.HttpUri server_uri = 1;