Make Http Status configurable for ext auth service when enabled for gRPC services
#11 079 ouverte le 6 mai 2020
Métriques du dépôt
- Stars
- (27 997 stars)
- Métriques de merge PR
- (Merge moyen 8j) (378 PRs mergées en 30 j)
Description
when ext auth gRPC service returns Permission Denied(7), Envoy returns Http Status : 200, gRPC Status: 7 to client if the client is gRPC service and Http Status - 403 to client if the client is Http Service. Technically this is correct but it causes some confusion for gRPC services.
In this case, since the actual gRPC service has not started processing the request yet(ext authz rejected before), I think it might fall under this category https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md and gRPC clients should be able to handle non 200 Http response as documented there?
Discussed with @dio on Slack - and we felt it may be reasonable to add a configuration to ext auth (http_status_for_grpc_on_deny or some thing similar) that can dictate this behaviour and send 403 in http status for gRPC services if configured.
Creating this issue to continue that discussion and gather other opinions.