search

envoyproxy / envoy

Cloud-native high-performance edge/middle/service proxy
https://www.envoyproxy.io
Apache License 2.0
25.14k stars 4.83k forks source link

Feature Request: Add caching for ExtAuthZ responses #37449

Open agrawroh opened 1 day ago

agrawroh commented 1 day ago

Title: Feature Request: Add caching for ExtAuthZ responses

Description

Currently, we have the Simple HTTP Cache, which can be used to cache responses from the final upstream, thereby improving processing speed for subsequent requests with identical state. Similarly, there is a caching mechanism for JWT Authentication to store the JWKS received from the server.

Would it make sense to extend caching to the ExtAuthZ filter based on similar principles? This would eliminate the need to query the ExtAuthZ server for every subsequent request, significantly improving performance and reducing latency.

While it is technically possible to achieve this today by routing ExtAuthZ requests to a separate Envoy listener and applying the HTTP Cache filter there, this approach introduces complexity. It can lead to confusing logs and additional challenges in diagnosing failures.

Proposal

Integrating caching directly into the ExtAuthZ filter would provide a simple solution as it would simplify configurations by avoiding the need for a separate listener. It'll help enhance the efficiency by handling caching natively within the filter.

ggreenway commented 1 day ago

How would you identify which requests are a cache hit vs cache miss? The ext_authz service currently receives nearly all information about a request, but Envoy doesn't know what fields it actually uses to decide whether a request is authorized or not.

agrawroh commented 1 day ago

How would you identify which requests are a cache hit vs cache miss? The ext_authz service currently receives nearly all information about a request, but Envoy doesn't know what fields it actually uses to decide whether a request is authorized or not.

I was thinking if we could take a similar approach to what the HTTP Cache filter does by introducing an option to specify an allowlist of headers that can be varied. Everything else could be used to decide whether a response should be cached. What do you think?

ggreenway commented 1 day ago

It wouldn't just be headers: it could be any property including client IP address, TLS session properties, time request is received, http protocol version, etc.

tyxia commented 19 hours ago

cc @yanavlasov and @krajshiva, I think we have planned this ext_authz cache work internally.