Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ext_authz #58

Open
guicassolato opened this issue Jul 1, 2024 · 3 comments
Open

Ext_authz #58

guicassolato opened this issue Jul 1, 2024 · 3 comments
Assignees
@didierofrivia @adam-cattermole
Labels
enhancement New feature or request

Comments

@guicassolato
Copy link

Make possible for the wasm-shim to issue gRPC Envoy ext_authz requests based on configuration.

Other than the main attributes source, destination, and request of the CheckRequest message, supplying values in the context_extensions field must as well be supported. This will be useful to hint the authorization service lookup without the constraint on the host name as the only unique identifier of effective policies (AuthConfig CRs.)
@david-martin
Copy link

@guicassolato Will this change mean that tracing behaves the same as with limitador?
That is, trace ids do not propagate to wasm modules in Istio/Envoy, affecting trace continuity in authorino?
(in which case, we should update the tracing guide at https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/observability/tracing/ to mention this)

@guicassolato
Copy link
Author

@guicassolato Will this change mean that tracing behaves the same as with limitador? That is, trace ids do not propagate to wasm modules in Istio/Envoy, affecting trace continuity in authorino? (in which case, we should update the tracing guide at https://docs.kuadrant.io/0.8.0/kuadrant-operator/doc/observability/tracing/ to mention this)

It probably does, @david-martin. Thanks for pointing this out!

@david-martin david-martin mentioned this issue Jul 4, 2024
Open
@alexsnaps alexsnaps mentioned this issue Aug 9, 2024
Open
5 tasks
@didierofrivia didierofrivia added the enhancement New feature or request label Aug 14, 2024
This was referenced Aug 14, 2024
Merged
Merged
@didierofrivia didierofrivia mentioned this issue Sep 4, 2024
Merged
@didierofrivia didierofrivia mentioned this issue Sep 13, 2024
Merged
@eguzki eguzki mentioned this issue Sep 20, 2024
Closed
This was referenced Sep 25, 2024
Closed
Merged
@eguzki eguzki mentioned this issue Oct 8, 2024
Open
@eguzki
Copy link
Contributor

eguzki commented Oct 18, 2024
edited
Loading

@didierofrivia I guess we can close this after #92. The RFE is

Make possible for the wasm-shim to issue gRPC Envoy ext_authz requests based on configuration.

The wasm-shim supports that today with the configuration action

"extensions": {
            "authorino": {
                "type": "auth",
                "endpoint": "authorino-cluster",
                "failureMode": "deny",
                "timeout": "5s"
            }
        },
...
 "actions": [
                {
                    "extension": "authorino",
                    "scope": "authconfig-A"
                }
]

Even though, the control plane does not use it (yet), this issue is completed IMO. wdyt? Can we close this?
The control plane work to be done is scoped in Kuadrant/kuadrant-operator#822

Reconciliation of the wasm config for the auth and RL effective policies.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@didierofrivia didierofrivia

@adam-cattermole adam-cattermole

Labels
enhancement New feature or request
Projects
Kuadrant
Status: In Progress
Milestone
No milestone
Development

No branches or pull requests
5 participants
@david-martin @eguzki @guicassolato @didierofrivia @adam-cattermole