.. _envoy_api_file_envoy/config/filter/http/ext_authz/v2alpha/ext_authz.proto: External Authorization ======================= The external authorization service configuration :ref:`configuration overview `. .. _envoy_api_msg_config.filter.http.ext_authz.v2alpha.ExtAuthz: config.filter.http.ext_authz.v2alpha.ExtAuthz --------------------------------------------- `[config.filter.http.ext_authz.v2alpha.ExtAuthz proto] `_ External Authorization filter calls out to an external service over either: 1. gRPC Authorization API defined by :ref:`CheckRequest `. 2. Raw HTTP Authorization server by passing the request headers to the service. A failed check will cause this filter to close the HTTP request normally with 403 (Forbidden), unless a different status code has been indicated in the authorization response. .. code-block:: json { "grpc_service": "{...}", "http_service": "{...}", "failure_mode_allow": "..." } .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthz.grpc_service: grpc_service (:ref:`core.GrpcService `) The external authorization gRPC service configuration. The default timeout is set to 200ms by this filter. Only one of :ref:`grpc_service `, :ref:`http_service ` may be set. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthz.http_service: http_service (:ref:`config.filter.http.ext_authz.v2alpha.HttpService `) The external authorization HTTP service configuration. The default timeout is set to 200ms by this filter. Only one of :ref:`grpc_service `, :ref:`http_service ` may be set. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthz.failure_mode_allow: failure_mode_allow (`bool `_) The filter's behaviour in case the external authorization service does not respond back. When set to true, Envoy will also allow traffic in cases when an error occurs during the authorization process. Defaults to false. .. _envoy_api_msg_config.filter.http.ext_authz.v2alpha.HttpService: config.filter.http.ext_authz.v2alpha.HttpService ------------------------------------------------ `[config.filter.http.ext_authz.v2alpha.HttpService proto] `_ External Authorization filter calls out to an upstream authorization server by passing the raw HTTP request headers to the server. This allows the authorization service to take a decision whether the request is authorized or not. A successful check allows the authorization service adding or overriding headers from the original request before dispatching it to the upstream. This is done by configuring which headers in the authorization response should be sent to the upstream. See *allowed_authorization_headers* below. A failed check will cause this filter to close the HTTP request with 403 (Forbidden), unless a different status code has been indicated by the authorization server via response headers. If an error happens during the checking process, two situations may occur depending on the filter's configuration: 1. When *failure_mode_allow* is true, traffic will be allowed in the presence of an error. This includes any of the HTTP 5xx errors, or a communication failure between the filter and the authorization server. 2. When *failure_mode_allow* is false, the filter will *always* return a *Forbidden response* to the client. It will *not allow* traffic to the upstream in the presence of an error. This includes any of the HTTP 5xx errors, or a communication failure between the filter and the authorization server. Note that filter will produce stats on error. See *Statistics* at :ref:`configuration overview `. .. code-block:: json { "server_uri": "{...}", "path_prefix": "...", "allowed_authorization_headers": [], "allowed_request_headers": [], "authorization_headers_to_add": [] } .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.HttpService.server_uri: server_uri (:ref:`core.HttpUri `) Sets the HTTP server URI which the authorization requests must be sent to. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.HttpService.path_prefix: path_prefix (`string `_) Sets an optional prefix to the value of authorization request header *Path*. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.HttpService.allowed_authorization_headers: allowed_authorization_headers (`string `_) Sets a list of headers that can be sent from the authorization server to the upstream service, or to the downstream client when present in the authorization response. Note that a matched request header will have its value overridden by the ones sent from the authorization server. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.HttpService.allowed_request_headers: allowed_request_headers (`string `_) Sets a list of headers that should be sent *from the filter* to the authorization server when they are also present in the client request. Note that *Content-Length*, *Authority*, *Method* and *Path* are always dispatched to the authorization server by default. The message will not contain body data and the *Content-Length* will be set to zero. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.HttpService.authorization_headers_to_add: authorization_headers_to_add (:ref:`core.HeaderValue `) Sets a list of headers and their values that will be added to the request to external authorization server. Note that these will override the headers coming from the downstream. .. _envoy_api_msg_config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute: config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute ----------------------------------------------------- `[config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute proto] `_ Extra settings on a per virtualhost/route/weighter-cluster level. .. code-block:: json { "disabled": "...", "check_settings": "{...}" } .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute.disabled: disabled (`bool `_) Disable the ext auth filter for this particular vhost or route. If disabled is specified in multiple per-filter-configs, the most specific one will be used. Precisely one of :ref:`disabled `, :ref:`check_settings ` must be set. .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.ExtAuthzPerRoute.check_settings: check_settings (:ref:`config.filter.http.ext_authz.v2alpha.CheckSettings `) Check request settings for this route. Precisely one of :ref:`disabled `, :ref:`check_settings ` must be set. .. _envoy_api_msg_config.filter.http.ext_authz.v2alpha.CheckSettings: config.filter.http.ext_authz.v2alpha.CheckSettings -------------------------------------------------- `[config.filter.http.ext_authz.v2alpha.CheckSettings proto] `_ Extra settings for the check request. You can use this to provide extra context for the ext-authz server on specific virtual hosts \ routes. For example, adding a context extension on the virtual host level can give the ext-authz server information on what virtual host is used without needing to parse the host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged in order, and the result will be be used. .. code-block:: json { "context_extensions": "{...}" } .. _envoy_api_field_config.filter.http.ext_authz.v2alpha.CheckSettings.context_extensions: context_extensions (map<`string `_, `string `_>) Context extensions to set on the CheckRequest's :ref:`AttributeContext.context_extensions` Merge semantics for this field are such that keys from more specific configs override. .. note:: These settings are only applied to a filter configured with a :ref:`grpc_service`.