envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
24.95k stars 4.8k forks source link

Not logging policies name if denied #36346

Open zvlb opened 1 month ago

zvlb commented 1 month ago

Title: Not logging policies name if denied

Description:

I have Filter with simple RBAC http Filter:

- name: envoy.filters.http.rbac
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
rules:
action: ALLOW
policies:
whitelist:
permissions:
- any: true
principals:
- source_ip:
address_prefix: 127.0.0.1
prefix_len: 32

If i create requests from localhost all work good, and i see in logs:

[2024-09-26 11:40:13.329][3492045][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:182] enforced allowed, matched policy whitelist

But if I create request from external server, envoy block my request (RBAC: access denied), but in logs:

[2024-09-26 11:41:28.955][3492043][debug][rbac] [source/extensions/filters/http/rbac/rbac_filter.cc:194] enforced denied, matched policy none

Envoy doesn't print policy name(

shreemaan-abhishek commented 1 month ago

which envoy version are you using? I don't see any field called whitelist in the policy spec: https://www.envoyproxy.io/docs/envoy/v1.31.2/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-policy

zvlb commented 1 month ago
envoy --version
envoy  version: 10e1e425fd84cc2cde985179655da08f68c9cb30/1.29.3/Modified/RELEASE/BoringSSL

whitelist - it's just policy name. I can use any name for policies - https://www.envoyproxy.io/docs/envoy/v1.31.2/api-v3/config/rbac/v3/rbac.proto#config-rbac-v3-rbac

policies - (repeated map<[string](https://developers.google.com/protocol-buffers/docs/proto#scalar), [config.rbac.v3.Policy](https://www.envoyproxy.io/docs/envoy/v1.31.2/api-v3/config/rbac/v3/rbac.proto#envoy-v3-api-msg-config-rbac-v3-policy)>)
shreemaan-abhishek commented 1 month ago

please assign this to me, I would like to find the root cause and hopefully produce a fix for this.

github-actions[bot] commented 1 day ago

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or "no stalebot" or other activity occurs. Thank you for your contributions.