search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.96k stars 4.8k forks source link

pack_as_bytes doesn't work with Per-Route ExtAuthZ Filter #35623

Closed shikharj05 closed 1 month ago

shikharj05 commented 2 months ago

Title: ExtAuthzPerRoute doesn't support pack_as_bytes when configured.

Description: ExtAuthzPerRoute supports configuring per route BufferSettings via CheckSettings, however, enabling pack_as_bytes as true has no effect and body is always set using body attribute of the HttpRequest, raw_body is not set.

Repro steps:

  1. Create a per route config in envoy setup, example config below
  2. Try reading request body using raw_body attribute, no raw_body is found.

Config:


admin:
address:
socket_address:
protocol: TCP
address: 127.0.0.1
port_value: 9901
static_resources:
listeners:
- name: main_listener
address:
socket_address:
protocol: TCP
address: 0.0.0.0
port_value: 8080
filter_chains:
- filters:
- name: envoy.filters.network.http_connection_manager
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
stat_prefix: ingress_http
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
routes:
- match:
prefix: "/"
route:
cluster: upstream
typed_per_filter_config:
envoy.filters.http.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
check_settings:
with_request_body:
max_request_bytes: 4096
allow_partial_message: true
pack_as_bytes: true
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
cluster: extauthz
timeout: 60s
uri: http://127.0.0.1:10001
status_on_error:
code: ServiceUnavailable
transport_api_version: "v3"
- name: envoy.filters.http.router
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
clusters:
- name: extauthz
connect_timeout: 5.0s
type: strict_dns
lb_policy: round_robin
protocol_selection: USE_DOWNSTREAM_PROTOCOL
load_assignment:
cluster_name: extauthz
endpoints:
lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 8081
- name: upstream
connect_timeout: 5.0s
type: strict_dns
lb_policy: round_robin
protocol_selection: USE_DOWNSTREAM_PROTOCOL
load_assignment:
cluster_name: upstream
endpoints:
lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 8082


The root cause could be that [ext_authz.cc](https://github.com/agrawroh/envoy/blob/main/source/extensions/filters/http/ext_authz/ext_authz.cc) doesn't consider packAsBytes config from checkSettings.
adisuissa commented 2 months ago

cc @tyxia @ggreenway as codeowners

ggreenway commented 2 months ago

It looks like this was never implemented for per-route settings; I'm unsure why. It would be straightforward for someone to implement this.

github-actions[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.

github-actions[bot] commented 1 month ago

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted" or "no stalebot". Thank you for your contributions.