Envoy External Authorization

外部授权

  • 外部授权(External Authorization)即调用第三方的授权服务来核验用户权限的机制;

    • Envoy通过外部授权过滤器调用外部的授权服务以检查传入的请求是否已经获取授权;

      • 此过滤器可以配置为网络过滤器(config.filter.network.ext_authz.v3.ExtAuthz),也可以配置为HTTP过滤器(config.filter.http.ext_authz.v3.ExtAuthz)甚至是二者的组合;
        • 若是网络过滤器核验授权失败,则直接关闭该连接;

        • 若是HTTP过滤器核验授权失败,则响应为403(Forbidden);

    • 外部授权服务通常应该定义为上游集群

      • 收到请求并核验其授权时,若外部授权服务不可用,请求是否能获得授权则取决于过滤器的failure_mode_allow参数的配置;

Network filter configuration

Network filter 配置格式

--
  listeners: 
    ...
    filter_chains: 
      filter_chain_match: {...}
      use_proxy_proto: {...}
      transport_socket: {...}
      transport_socket_connect_timeout: {...}
      name: ...
      filters: # 组成过滤器链的单个网络过滤器列表,用于与侦听器建立连接。顺序很重要,因为过滤器在连接事件发生时按顺序处理。注意:如果过滤器列表为空,则默认关闭连接。
        name: envoy.filters.network.ext_authz # 过滤器配置的名称。取决于typed_config配置的过滤器指定的名称。
        typed_config: {...} # 过滤器特定配置,这取决于被实例化的过滤器。
          "@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
          stat_prefix: ...
          grpc_service: {...}
          failure_mode_allow: ...
          include_peer_certificate: ...
          transport_api_version: ...
          filter_enabled_metadata: {...}
          bootstrap_metadata_labels_key: ...

Network filter 配置样例

filters:
  - name: envoy.filters.network.ext_authz
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
      stat_prefix: ext_authz
      grpc_service:
        envoy_grpc:
          cluster_name: ext-authz
      include_peer_certificate: true

clusters:
  - name: ext-authz
    type: static
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http2_protocol_options: {}
    load_assignment:
      cluster_name: ext-authz
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 10003

HTTP filter configuration

HTTP filter配置格式

--
  listeners: 
    ...
    filter_chains: 
      ...
      name: ...
      filters: # 组成过滤器链的单个网络过滤器列表,用于与侦听器建立连接。顺序很重要,因为过滤器在连接事件发生时按顺序处理。注意:如果过滤器列表为空,则默认关闭连接。
        name: envoy.filters.network.http_connection_manager # 过滤器配置的名称。取决于typed_config配置的过滤器指定的名称。
        typed_config:  # 过滤器特定配置,这取决于被实例化的过滤器。
          "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
          ...
          http_filters:
          - name: envoy.filters.http.ext_authz
            config_discovery: {...}
            is_optional: ...
            typed_config:
              "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
              grpc_service: {...}
              http_service: {...}
              transport_api_version: ...
              failure_mode_allow: ...
              with_request_body: {...}
              clear_route_cache: ...
              status_on_error: {...}
              metadata_context_namespaces: []
              typed_metadata_context_namespaces: []
              filter_enabled: {...}
              filter_enabled_metadata: {...}
              deny_at_disable: {...}
              include_peer_certificate: ...
              stat_prefix: ...
              bootstrap_metadata_labels_key: ...

HTTP filter配置样例

gRPC

http_filters:
  - name: envoy.filters.http.ext_authz
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
      grpc_service:
        envoy_grpc:
          cluster_name: ext-authz

        # Default is 200ms; override if your server needs e.g. warmup time.
        timeout: 0.5s
      include_peer_certificate: true
      with_request_body:
      max_request_bytes: 1024
      allow_partial_message: true
      pack_as_bytes: true
      
clusters:
  - name: ext-authz
    type: static
    typed_extension_protocol_options:
      envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
        "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
        explicit_http_config:
          http2_protocol_options: {}
    load_assignment:
      cluster_name: ext-authz
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 10003

    # This timeout controls the initial TCP handshake timeout - not the timeout for the
    # entire request.
    connect_timeout: 0.25s

HTTP 

http_filters:
  - name: envoy.filters.http.ext_authz
    typed_config:
      "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
      http_service:
          server_uri:
            uri: 127.0.0.1:10003
            cluster: ext-authz
            timeout: 0.25s
            failure_mode_allow: false
      include_peer_certificate: true
      
clusters:
  - name: ext-authz
    connect_timeout: 0.25s
    type: logical_dns
    lb_policy: round_robin
    load_assignment:
      cluster_name: ext-authz
      endpoints:
      - lb_endpoints:
        - endpoint:
            address:
              socket_address:
                address: 127.0.0.1
                port_value: 10003

Per-Route Configuration

A sample virtual host and route filter configuration. In this example we add additional context on the virtual host, and disabled the filter for /static prefixed routes.

route_config:
  name: local_route
  virtual_hosts:
  - name: local_service
    domains: ["*"]
    typed_per_filter_config:
      envoy.filters.http.ext_authz:
        "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
        check_settings:
          context_extensions:
            virtual_host: local_service
    routes:
    - match: { prefix: "/static" }
      route: { cluster: some_service }
      typed_per_filter_config:
        envoy.filters.http.ext_authz:
          "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
          disabled: true
    - match: { prefix: "/" }
      route: { cluster: some_service }

参考文档

https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#extension-envoy-filters-http-ext-authz

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-extauthz

https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-network-ext-authz-v3-extauthz

posted @ 2022-09-28 14:42  小吉猫  阅读(421)  评论(0编辑  收藏  举报