envoyproxy/envoy

Make Http Status configurable for ext auth service when enabled for gRPC services

Open

#11.079 aperta il 6 mag 2020

Vedi su GitHub
 (17 commenti) (1 reazione) (0 assegnatari)C++ (5373 fork)batch import
area/ext_authzenhancementhelp wanted

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

when ext auth gRPC service returns Permission Denied(7), Envoy returns Http Status : 200, gRPC Status: 7 to client if the client is gRPC service and Http Status - 403 to client if the client is Http Service. Technically this is correct but it causes some confusion for gRPC services.

In this case, since the actual gRPC service has not started processing the request yet(ext authz rejected before), I think it might fall under this category https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md and gRPC clients should be able to handle non 200 Http response as documented there?

Discussed with @dio on Slack - and we felt it may be reasonable to add a configuration to ext auth (http_status_for_grpc_on_deny or some thing similar) that can dictate this behaviour and send 403 in http status for gRPC services if configured.

Creating this issue to continue that discussion and gather other opinions.

Guida contributor