External Authorization

The external authorization service configuration configuration overview.

config.filter.http.ext_authz.v2alpha.ExtAuthz

[config.filter.http.ext_authz.v2alpha.ExtAuthz proto]

External Authorization filter calls out to an external service over either gRPC or raw HTTP clients.

{
  "grpc_service": "{...}",
  "http_service": "{...}",
  "failure_mode_allow": "..."
}
grpc_service

(core.GrpcService) The external authorization gRPC service configuration. The default timeout is set to 200ms by this filter.

Only one of grpc_service, http_service may be set.

http_service

(config.filter.http.ext_authz.v2alpha.HttpService) The external authorization HTTP service configuration. The default timeout is set to 200ms by this filter.

Only one of grpc_service, http_service may be set.

failure_mode_allow

(bool) Allows bypassing the filter on errors during the authorization process.

1. When failure_mode_allow is true, traffic will be allowed in the presence of an error. This includes any of the HTTP 5xx errors, or a communication failure between the filter and the authorization server. 2. When failure_mode_allow is false, the filter will always return a Forbidden response to the client. It will not allow traffic to the upstream in the presence of an error. This includes any of the HTTP 5xx errors, or a communication failure between the filter and the authorization server.

Note that filter will produce stats on error. See Statistics at configuration overview.

config.filter.http.ext_authz.v2alpha.HttpService

[config.filter.http.ext_authz.v2alpha.HttpService proto]

External Authorization filter calls an authorization server by passing the raw HTTP request headers to the server. This allows the authorization service to take a decision whether the request should be authorized or not.

A successful check allows the authorization service adding or overriding headers from the original request before dispatching them to the upstream. This is done by configuring which headers in the authorization response should be sent to the upstream. See allowed_upstream_headers for more details.

A failed check will cause this filter to close the HTTP request with 403 (Forbidden), unless a different status code has been indicated by the authorization server via response headers. In addition to the the status code and with exception of the Authority, the filter will send all headers from the authorization server back to the client by default. See allowed_client_headers for more details.

Note

Unlike the gRPC client that request and response headers are passed in the message, headers forwarded by via the raw HTTP client will affect the request or the response.

{
  "server_uri": "{...}",
  "path_prefix": "...",
  "authorization_request": "{...}",
  "authorization_response": "{...}"
}
server_uri
(core.HttpUri) Sets the HTTP server URI which the authorization requests must be sent to.
path_prefix
(string) Sets an optional prefix to the value of authorization request header Path.
authorization_request
(config.filter.http.ext_authz.v2alpha.AuthorizationRequest) Settings for controlling request headers forwarded from the filter to the authorization server.
authorization_response
(config.filter.http.ext_authz.v2alpha.AuthorizationResponse) Settings for controlling authorization response forwarded from the filter to a client, or to an upstream service.

config.filter.http.ext_authz.v2alpha.AuthorizationRequest

[config.filter.http.ext_authz.v2alpha.AuthorizationRequest proto]

{
  "allowed_headers": "{...}",
  "headers_to_add": []
}
allowed_headers
(type.matcher.ListStringMatcher) Sets a list of matchers that are used to determine which client request headers should be forwarded from the filter to the authorization server. Note that Content-Length, Authority, Method, Path and Authorization are always dispatched to the authorization server by default. The message will not contain body data and the Content-Length will be set to zero.
headers_to_add
(core.HeaderValue) Sets a list of headers and their values that will be added to the request to external authorization server. Note that these will override the headers coming from the downstream.

config.filter.http.ext_authz.v2alpha.AuthorizationResponse

[config.filter.http.ext_authz.v2alpha.AuthorizationResponse proto]

{
  "allowed_upstream_headers": "{...}",
  "allowed_client_headers": "{...}"
}
allowed_upstream_headers
(type.matcher.ListStringMatcher) Sets a list of matchers that are used to determine which authorization response headers should be forwarded from the filter to the upstream service only when the HTTP status is a 200 OK. Note that these headers will override that the original request headers when respectively matched.
allowed_client_headers
(type.matcher.ListStringMatcher) Sets a list of keys that are used to determine which authorization response headers should be forwarded from the filter to the client when the HTTP status is NOT a 200 OK. Note that when this list is empty, all the authorization response headers, except Authority will be sent to the client (default). When a header is included in this list, Path, Status, Content-Length, WWWAuthenticate and Location are automatically added.

config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute

[config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute proto]

Extra settings on a per virtualhost/route/weighter-cluster level.

{
  "disabled": "...",
  "check_settings": "{...}"
}
disabled

(bool) Disable the ext auth filter for this particular vhost or route. If disabled is specified in multiple per-filter-configs, the most specific one will be used.

Precisely one of disabled, check_settings must be set.

check_settings

(config.filter.http.ext_authz.v2alpha.CheckSettings) Check request settings for this route.

Precisely one of disabled, check_settings must be set.

config.filter.http.ext_authz.v2alpha.CheckSettings

[config.filter.http.ext_authz.v2alpha.CheckSettings proto]

Extra settings for the check request. You can use this to provide extra context for the ext-authz server on specific virtual hosts routes. For example, adding a context extension on the virtual host level can give the ext-authz server information on what virtual host is used without needing to parse the host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged in order, and the result will be be used.

{
  "context_extensions": "{...}"
}
context_extensions

(map<string, string>) Context extensions to set on the CheckRequest’s AttributeContext.context_extensions

Merge semantics for this field are such that keys from more specific configs override.

Note

These settings are only applied to a filter configured with a grpc_service.