Propagate route metadata in ext_authz (#30477)

Add the ability to ext_authz that collect specified namespaces from route metadata, and propagate them to external auth service. #30252 The instruction of what namespace to select from route metadata, and the field in CheckRequest where the metadata context from route is filled are totally separate from those metadata context from connection or request. Risk Level: Low Testing: Unit tests Signed-off-by: Yujian Zhao <zhaosukima@gmail.com> Mirrored from https://github.com/envoyproxy/envoy @ 6b78796398528e6d9d5c60c24ab1f54bdc57db8e
1 year ago · 922fdd9031
parent 63e9afff0e
commit 922fdd9031
2 changed files with 17 additions and 2 deletions
--- a/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+++ b/envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
@ -28,7 +28,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]

-// [#next-free-field: 21]
+// [#next-free-field: 23]
 message ExtAuthz {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@ -120,6 +120,18 @@ message ExtAuthz {
  //
  repeated string typed_metadata_context_namespaces = 16;

+  // Specifies a list of route metadata namespaces whose values, if present, will be passed to the
+  // ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
+  // :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
+  // :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
+  repeated string route_metadata_context_namespaces = 21;
+
+  // Specifies a list of route metadata namespaces whose values, if present, will be passed to the
+  // ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
+  // :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
+  // :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
+  repeated string route_typed_metadata_context_namespaces = 22;
+
  // Specifies if the filter is enabled.
  //
  // If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
--- a/envoy/service/auth/v3/attribute_context.proto
+++ b/envoy/service/auth/v3/attribute_context.proto
@ -38,7 +38,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // - field mask to send
 // - which return values from request_context are copied back
 // - which return values are copied into request_headers]
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message AttributeContext {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.service.auth.v2.AttributeContext";
@ -183,6 +183,9 @@ message AttributeContext {
  // Dynamic metadata associated with the request.
  config.core.v3.Metadata metadata_context = 11;

+  // Metadata associated with the selected route.
+  config.core.v3.Metadata route_metadata_context = 13;
+
  // TLS session details of the underlying connection.
  // This is not populated by default and will be populated if ext_authz filter's
  // :ref:`include_tls_session <config_http_filters_ext_authz>` is set to true.