envoyproxy/envoy

Make Http Status configurable for ext auth service when enabled for gRPC services

Open

#11,079 建立於 2020年5月6日

在 GitHub 查看
 (17 留言) (1 反應) (0 負責人)C++ (5,373 fork)batch import
area/ext_authzenhancementhelp wanted

倉庫指標

Star
 (27,997 star)
PR 合併指標
 (平均合併 8天) (30 天內合併 378 個 PR)

描述

when ext auth gRPC service returns Permission Denied(7), Envoy returns Http Status : 200, gRPC Status: 7 to client if the client is gRPC service and Http Status - 403 to client if the client is Http Service. Technically this is correct but it causes some confusion for gRPC services.

In this case, since the actual gRPC service has not started processing the request yet(ext authz rejected before), I think it might fall under this category https://github.com/grpc/grpc/blob/master/doc/http-grpc-status-mapping.md and gRPC clients should be able to handle non 200 Http response as documented there?

Discussed with @dio on Slack - and we felt it may be reasonable to add a configuration to ext auth (http_status_for_grpc_on_deny or some thing similar) that can dictate this behaviour and send 403 in http status for gRPC services if configured.

Creating this issue to continue that discussion and gather other opinions.

貢獻者指南