Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for dynamic metadata in http ext authz #4163

Open
nothinux opened this issue Sep 5, 2024 · 3 comments · May be fixed by #4164
Open

Add support for dynamic metadata in http ext authz #4163

nothinux opened this issue Sep 5, 2024 · 3 comments · May be fixed by #4164
Labels
triage

Comments

@nothinux
Copy link

nothinux commented Sep 5, 2024
edited
Loading

Description:
We have a use case that requires emitting specific information from the external authz service into the logs, and this can be achieved using dynamic metadata. In the grpc ext_authz, dynamic metadata can be included directly as part of CheckResponse. However, in the http ext_authz, the only method to pass this information is by sending it as response headers, which are then emitted via the dynamic_metadata_from_headers.

It would be great if the dynamic_metadata_from_headers field can be exposed

proposal:
In the current implementation, allowed_upstream_headers is already implemented as headersToBackend with support for the exact match type only. We can extend the functionality to include dynamic_metadata_from_headers to support this.

headersToMetadata seems like a suitable option for dynamic_metadata_from_headers. However, I welcome any feedback and suggestions

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: ext-auth-example
spec:
  extAuth:
    failOpen: false
    http:
      backendRefs:
      - group: ""
        kind: Service
        name: http-ext-auth
        port: 9002
      headersToMetadata:
      - x-user-id
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backend
@nothinux nothinux added the triage label Sep 5, 2024
@nothinux nothinux linked a pull request Sep 5, 2024 that will close this issue
Open
@arkodg
Copy link
Contributor

arkodg commented Sep 5, 2024

can this be achieved today by headersToBackend and then removing the header using RequstHeaderModifier filter https://gateway-api.sigs.k8s.io/guides/http-header-modifier/#http-request-header-modifier?

@nothinux
Copy link
Author

@arkodg yes, it can be archieved with that approach. However, we won't be able to retrieve the ext_authz_duration data, since it's only available when dynamic_metadata_from_headers is set. We need that data to monitor the time taken to complete the authorization process for each request

@arkodg
Copy link
Contributor

arkodg commented Sep 11, 2024

this feels like an advanced use case, I suggest using https://gateway.envoyproxy.io/docs/tasks/extensibility/envoy-patch-policy/ to achieve this
lets keep this issue open to see if others in the community are also interested in this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: add dynamic metadata support in http ext authz nothinux/gateway
2 participants
@arkodg @nothinux