search

envoyproxy / gateway

Manages Envoy Proxy as a Standalone or Kubernetes-based Application Gateway
https://gateway.envoyproxy.io
Apache License 2.0
1.53k stars 328 forks source link

Add support for dynamic metadata in http ext authz #4163

Open nothinux opened 1 week ago

nothinux commented 1 week ago

Description: We have a use case that requires emitting specific information from the external authz service into the logs, and this can be achieved using dynamic metadata. In the grpc ext_authz, dynamic metadata can be included directly as part of CheckResponse. However, in the http ext_authz, the only method to pass this information is by sending it as response headers, which are then emitted via the dynamic_metadata_from_headers.

It would be great if the dynamic_metadata_from_headers field can be exposed

proposal: In the current implementation, allowed_upstream_headers is already implemented as headersToBackend with support for the exact match type only. We can extend the functionality to include dynamic_metadata_from_headers to support this.

headersToMetadata seems like a suitable option for dynamic_metadata_from_headers. However, I welcome any feedback and suggestions

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
  name: ext-auth-example
spec:
  extAuth:
    failOpen: false
    http:
      backendRefs:
      - group: ""
        kind: Service
        name: http-ext-auth
        port: 9002
      headersToMetadata:
      - x-user-id
  targetRefs:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: backend
arkodg commented 1 week ago

can this be achieved today by headersToBackend and then removing the header using RequstHeaderModifier filter https://gateway-api.sigs.k8s.io/guides/http-header-modifier/#http-request-header-modifier?

nothinux commented 1 week ago

@arkodg yes, it can be archieved with that approach. However, we won't be able to retrieve the ext_authz_duration data, since it's only available when dynamic_metadata_from_headers is set. We need that data to monitor the time taken to complete the authorization process for each request

arkodg commented 6 days ago

this feels like an advanced use case, I suggest using https://gateway.envoyproxy.io/docs/tasks/extensibility/envoy-patch-policy/ to achieve this lets keep this issue open to see if others in the community are also interested in this