search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.97k stars 4.81k forks source link

Proposal: Unified Matching in Access Control #11832

Open yangminzhu opened 4 years ago

yangminzhu commented 4 years ago

The design (https://shorturl.at/gkrM3) proposes to introduce a unified matching API for ext_authz and RBAC filter in order to support many complex access control scenarios and also simplify the matching code in Envoy.

This allows to support the following feature requests:

@mattklein123 @htuch @lizan @rshriram @incfly @liminw , please let me know your thoughts and feel free to comment in the doc, thank you.

rshriram commented 4 years ago

@yangminzhu if we have the metadata matcher in ext authz that matches based on all the attributes, then we no longer have to worry about ext authz per host or even per filter metadata for ext authz right? Like RBAC, we could have a rich set of conditions that will decide whether or not the ext authz should kick in (these conditions will include attributes like the virtual host, other http headers, paths, etc.).

yangminzhu commented 4 years ago

if we have the metadata matcher in ext authz that matches based on all the attributes, then we no longer have to worry about ext authz per host or even per filter metadata for ext authz right?

@rshriram Yes, the proposal adds full matching support to the ext_authz as we already have in RBAC, which allows a much flexible way in configuring the ext_authz to be based on many different conditions (path, header, JWT, x509, source IP, etc.)

mattklein123 commented 4 years ago

Just wanted to note that I am very interested in this proposal but I won't be able to look into 7/13. I would also like to see if we can incorporate the streaming tap matchers into this also.

mattklein123 commented 4 years ago

I took a look at the proposal. My main comment (which I mentioned in the community meeting) is that I think this proposal needs to also cover TAP and its streaming concepts. Can we take a look at that also please?

yangminzhu commented 4 years ago

Sure and thanks for the comments Matt. I will look into the tap filter and see how can we support it in the proposal, will do some investigations and update the doc.

yangminzhu commented 4 years ago

@mattklein123

I have updated the doc for the support of tap filter and stream-based matching. I also completed a PoC PR here: https://github.com/envoyproxy/envoy/pull/12317, Please let me know your thoughts, thank you.