envoyproxy/envoy

Make Http Status configurable for ext auth service when enabled for gRPC services

Open

#11,079 opened on May 6, 2020

View on GitHub
 (17 comments) (1 reaction) (0 assignees)C++ (5,373 forks)batch import
area/ext_authzenhancementhelp wanted

Repository metrics

Stars
 (27,997 stars)
PR merge metrics
 (Avg merge 8d) (378 merged PRs in 30d)

Description

when ext auth gRPC service returns Permission Denied(7), Envoy returns Http Status : 200, gRPC Status: 7 to client if the client is gRPC service and Http Status - 403 to client if the client is Http Service. Technically this is correct but it causes some confusion for gRPC services.

In this case, since the actual gRPC service has not started processing the request yet(ext authz rejected before), I think it might fall under this category https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md and gRPC clients should be able to handle non 200 Http response as documented there?

Discussed with @dio on Slack - and we felt it may be reasonable to add a configuration to ext auth (http_status_for_grpc_on_deny or some thing similar) that can dictate this behaviour and send 403 in http status for gRPC services if configured.

Creating this issue to continue that discussion and gather other opinions.

Contributor guide