Make Http Status configurable for ext auth service when enabled for gRPC services
#11.079 aperta il 6 mag 2020
Metriche repository
- Star
- (27.997 star)
- Metriche merge PR
- (Merge medio 8g) (378 PR mergiate in 30 g)
Descrizione
when ext auth gRPC service returns Permission Denied(7), Envoy returns Http Status : 200, gRPC Status: 7 to client if the client is gRPC service and Http Status - 403 to client if the client is Http Service. Technically this is correct but it causes some confusion for gRPC services.
In this case, since the actual gRPC service has not started processing the request yet(ext authz rejected before), I think it might fall under this category https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md and gRPC clients should be able to handle non 200 Http response as documented there?
Discussed with @dio on Slack - and we felt it may be reasonable to add a configuration to ext auth (http_status_for_grpc_on_deny or some thing similar) that can dictate this behaviour and send 403 in http status for gRPC services if configured.
Creating this issue to continue that discussion and gather other opinions.