Envoy External Authorization
外部授权
-
外部授权(External Authorization)即调用第三方的授权服务来核验用户权限的机制;
-
Envoy通过外部授权过滤器调用外部的授权服务以检查传入的请求是否已经获取授权;
- 此过滤器可以配置为网络过滤器(config.filter.network.ext_authz.v3.ExtAuthz),也可以配置为HTTP过滤器(config.filter.http.ext_authz.v3.ExtAuthz)甚至是二者的组合;
-
若是网络过滤器核验授权失败,则直接关闭该连接;
-
若是HTTP过滤器核验授权失败,则响应为403(Forbidden);
-
- 此过滤器可以配置为网络过滤器(config.filter.network.ext_authz.v3.ExtAuthz),也可以配置为HTTP过滤器(config.filter.http.ext_authz.v3.ExtAuthz)甚至是二者的组合;
-
外部授权服务通常应该定义为上游集群
- 收到请求并核验其授权时,若外部授权服务不可用,请求是否能获得授权则取决于过滤器的failure_mode_allow参数的配置;
-
Network filter configuration
Network filter 配置格式
--
listeners:
...
filter_chains:
filter_chain_match: {...}
use_proxy_proto: {...}
transport_socket: {...}
transport_socket_connect_timeout: {...}
name: ...
filters: # 组成过滤器链的单个网络过滤器列表,用于与侦听器建立连接。顺序很重要,因为过滤器在连接事件发生时按顺序处理。注意:如果过滤器列表为空,则默认关闭连接。
name: envoy.filters.network.ext_authz # 过滤器配置的名称。取决于typed_config配置的过滤器指定的名称。
typed_config: {...} # 过滤器特定配置,这取决于被实例化的过滤器。
"@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
stat_prefix: ...
grpc_service: {...}
failure_mode_allow: ...
include_peer_certificate: ...
transport_api_version: ...
filter_enabled_metadata: {...}
bootstrap_metadata_labels_key: ...
Network filter 配置样例
filters:
- name: envoy.filters.network.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
stat_prefix: ext_authz
grpc_service:
envoy_grpc:
cluster_name: ext-authz
include_peer_certificate: true
clusters:
- name: ext-authz
type: static
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options: {}
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 10003
HTTP filter configuration
HTTP filter配置格式
--
listeners:
...
filter_chains:
...
name: ...
filters: # 组成过滤器链的单个网络过滤器列表,用于与侦听器建立连接。顺序很重要,因为过滤器在连接事件发生时按顺序处理。注意:如果过滤器列表为空,则默认关闭连接。
name: envoy.filters.network.http_connection_manager # 过滤器配置的名称。取决于typed_config配置的过滤器指定的名称。
typed_config: # 过滤器特定配置,这取决于被实例化的过滤器。
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
...
http_filters:
- name: envoy.filters.http.ext_authz
config_discovery: {...}
is_optional: ...
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service: {...}
http_service: {...}
transport_api_version: ...
failure_mode_allow: ...
with_request_body: {...}
clear_route_cache: ...
status_on_error: {...}
metadata_context_namespaces: []
typed_metadata_context_namespaces: []
filter_enabled: {...}
filter_enabled_metadata: {...}
deny_at_disable: {...}
include_peer_certificate: ...
stat_prefix: ...
bootstrap_metadata_labels_key: ...
HTTP filter配置样例
gRPC
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
grpc_service:
envoy_grpc:
cluster_name: ext-authz
# Default is 200ms; override if your server needs e.g. warmup time.
timeout: 0.5s
include_peer_certificate: true
with_request_body:
max_request_bytes: 1024
allow_partial_message: true
pack_as_bytes: true
clusters:
- name: ext-authz
type: static
typed_extension_protocol_options:
envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
"@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
explicit_http_config:
http2_protocol_options: {}
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 10003
# This timeout controls the initial TCP handshake timeout - not the timeout for the
# entire request.
connect_timeout: 0.25s
HTTP
http_filters:
- name: envoy.filters.http.ext_authz
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
http_service:
server_uri:
uri: 127.0.0.1:10003
cluster: ext-authz
timeout: 0.25s
failure_mode_allow: false
include_peer_certificate: true
clusters:
- name: ext-authz
connect_timeout: 0.25s
type: logical_dns
lb_policy: round_robin
load_assignment:
cluster_name: ext-authz
endpoints:
- lb_endpoints:
- endpoint:
address:
socket_address:
address: 127.0.0.1
port_value: 10003
Per-Route Configuration
A sample virtual host and route filter configuration. In this example we add additional context on the virtual host, and disabled the filter for /static
prefixed routes.
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains: ["*"]
typed_per_filter_config:
envoy.filters.http.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
check_settings:
context_extensions:
virtual_host: local_service
routes:
- match: { prefix: "/static" }
route: { cluster: some_service }
typed_per_filter_config:
envoy.filters.http.ext_authz:
"@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
disabled: true
- match: { prefix: "/" }
route: { cluster: some_service }
参考文档
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/ext_authz_filter
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#extension-envoy-filters-http-ext-authz
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-http-ext-authz-v3-extauthz
https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/ext_authz/v3/ext_authz.proto#envoy-v3-api-msg-extensions-filters-network-ext-authz-v3-extauthz