Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Return the external auth service response body when 401, 403 or other error occurs #12211

Open
liukun2634 opened this issue Oct 19, 2024 · 1 comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.

Comments

@liukun2634
Copy link

Description

Currently, ingress-nginx does not return the response body from the auth service when a 401, 403 or other error occurs. This feature request suggests adding a flag to enable this functionality. By returning the response body, users can have a better understanding of why their request was denied and what steps they can take to resolve the issue.
 
Why we really need this feature
 
We are using external auth serive with the keepalive feature enabled:

# ingress-nginx version 1.9.6
nginx.ingress.kubernetes.io/auth-url: "http://authenticationservice.com"
nginx.ingress.kubernetes.io/auth-keepalive: "500"
nginx.ingress.kubernetes.io/auth-keepalive-requests: "10000"
nginx.ingress.kubernetes.io/auth-keepalive-timeout: "100"
nginx.ingress.kubernetes.io/auth-method: POST
nginx.ingress.kubernetes.io/auth-response-headers: Authorization

 
To return the auth service response body, we have attempted several workarounds, such as:

However, none of these workarounds are effective for the keepalive case, as the keepalive has its own implementation and already using access_by_lua_block in nginx template file. Those workaround would result in lua block duplicate definition errors.

# `auth_request` module does not support HTTP keepalives in upstream block:
# https://trac.nginx.org/nginx/ticket/1579
access_by_lua_block {
    local res = ngx.location.capture(..) 
    ...
    end
    if res.status == ngx.HTTP_UNAUTHORIZED or res.status == ngx.HTTP_FORBIDDEN then
        ngx.exit(res.status)
    end
    ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
}

Therefore, we can only make changes for the access_by_lua_block in nginx template file to return the response body. This is why we are requesting this feature.

Implementation

Introduce a new flag (e.g., auth-return-response-body or auth-keepalive-return-response-body for keepalive specific) in the ingress-nginx annotation. When this flag is enabled, ingress-nginx will return the response body from the external authentication service in the response to the client when a 401, 403 or others error occurs.

For the keepalive scenario, maybe we add ngx.say(res.body) before nginx.exit(res.status) in nginx template file.
 
For the non-keepalive scenario, other workarounds can be used, such as adding the access_by_lua_block when the flag is enabled, or using the same authentication method as the keepalive does.
 
Additional Context
 
This feature could significantly useful for our scenario. If you think this feature is a appropriate request, I'm also willing to contribute to its implementation.
 
If you think this is an invalid requirement, I would appreciate any alternative solutions you might suggest to return the response body for keepalive case.

@liukun2634 liukun2634 added the kind/feature Categorizes issue or PR as related to a new feature. label Oct 19, 2024
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Oct 19, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one.
Projects
Development

No branches or pull requests

2 participants