Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ext_authz #58

Closed
guicassolato opened this issue Jul 1, 2024 · 3 comments
Closed

Ext_authz #58

guicassolato opened this issue Jul 1, 2024 · 3 comments
Assignees
Labels
enhancement New feature or request

Comments

@guicassolato
Copy link
Contributor

Make possible for the wasm-shim to issue gRPC Envoy ext_authz requests based on configuration.

Other than the main attributes source, destination, and request of the CheckRequest message, supplying values in the context_extensions field must as well be supported. This will be useful to hint the authorization service lookup without the constraint on the host name as the only unique identifier of effective policies (AuthConfig CRs.)

@david-martin
Copy link
Member

@guicassolato Will this change mean that tracing behaves the same as with limitador?
That is, trace ids do not propagate to wasm modules in Istio/Envoy, affecting trace continuity in authorino?
(in which case, we should update the tracing guide at https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/observability/tracing/ to mention this)

@guicassolato
Copy link
Contributor Author

@guicassolato Will this change mean that tracing behaves the same as with limitador? That is, trace ids do not propagate to wasm modules in Istio/Envoy, affecting trace continuity in authorino? (in which case, we should update the tracing guide at https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/observability/tracing/ to mention this)

It probably does, @david-martin. Thanks for pointing this out!

@eguzki
Copy link
Contributor

eguzki commented Oct 18, 2024

@didierofrivia I guess we can close this after #92. The RFE is

Make possible for the wasm-shim to issue gRPC Envoy ext_authz requests based on configuration.

The wasm-shim supports that today with the configuration action

"extensions": {
            "authorino": {
                "type": "auth",
                "endpoint": "authorino-cluster",
                "failureMode": "deny",
                "timeout": "5s"
            }
        },
...
 "actions": [
                {
                    "extension": "authorino",
                    "scope": "authconfig-A"
                }
]

Even though, the control plane does not use it (yet), this issue is completed IMO. wdyt? Can we close this?
The control plane work to be done is scoped in Kuadrant/kuadrant-operator#822

Reconciliation of the wasm config for the auth and RL effective policies.

@eguzki eguzki closed this as completed Oct 22, 2024
@github-project-automation github-project-automation bot moved this from In Progress to Done in Kuadrant Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
Status: Done
Development

No branches or pull requests

5 participants