Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ext_authz Authentication #1059

Closed
xervon opened this issue Feb 17, 2023 · 10 comments
Closed

ext_authz Authentication #1059

xervon opened this issue Feb 17, 2023 · 10 comments
Assignees
@zhaohuabing
Labels
area/policy kind/enhancement New feature or request stale

Comments

@xervon
Copy link

xervon commented Feb 17, 2023

Description:
Are there any plans of supporting ext_authz request authentication?
@xervon xervon added the kind/enhancement New feature or request label Feb 17, 2023
@arkodg
Copy link
Contributor

arkodg commented Feb 17, 2023

@xervon the project supports a native Authn API and plans on allowing advanced users to configure envoy filters such as ext_authz as well, #24 is the tracking issue that should address this use case, which should hopefully be part of the 0.4.0 release in April 2023

@xervon
Copy link
Author

xervon commented Feb 18, 2023

Thanks for the quick answer. I guess I should have clarified that I had already seen both of those. I was wondering if there were already plans to extend the AuthenticationFilter with support for ext_authz (similar to #881 as far as I understand that one). And if there are no plans regarding this, what would have to be done if I wanted to take a stab at this?

@arkodg
Copy link
Contributor

arkodg commented Feb 18, 2023
edited
Loading

@xervon imho ext_authz is something an advanced user would be aware of, so would prefer taking the #24 route, understand the shortcomings once implemented and used, and if it still required, expose the fields of the underlying envoy filter into the higher level authn API

@xervon
Copy link
Author

xervon commented Feb 18, 2023

IMO it seems particularly useful to make ext_authz easily available to all users. Not only is this the case in most ingress controllers I know of (see links at the bottom) but it also allows the user to use pretty much any authn/authz method they prefer using custom authn/authz servers or tools like Ory oathkeeper. This means it's an alternative, in case another authn/z method isn't supported by AuthenticationFilter.

Also: as far as I understand the plans in #24 the custom configuration seems to be planned to be all or nothing. From my standpoint envoy-gateway in it's current state feels very well integrated with gateway api. Having to configure the full proxy if I want to use any authz/authn besides JWT feels quite restrictive. If this goes beyond the scope of these first releases it might still be worth thinking about being able to override at least just the authn/authz part of the config while leaving the rest of the request processing alone, though I don't know envoy well enough to know if this would be possible.

References in other ingress controllers:
haproxy-ingress
gloo
traefik
ambassador
nginx
contour

@arkodg
Copy link
Contributor

arkodg commented Feb 20, 2023

thanks for sharing all the references for other projects @xervon , the original design doc did account for ext_authz, hoping other @envoyproxy/gateway-maintainers can chime in

@github-actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Mar 23, 2023
@arkodg arkodg added area/policy and removed stale labels Nov 7, 2023
@arkodg
Copy link
Contributor

arkodg commented Nov 7, 2023
edited
Loading

speaking with many users at Kubecon, who would like to integrate with an external authz system like OPA
this can now be added into https://gateway.envoyproxy.io/latest/api/extension_types/#securitypolicy

@akhenakh
Copy link
Contributor

akhenakh commented Nov 7, 2023
edited
Loading

Agree it's a very common to point to an ext_authz_filter filter to talk to an authorization server, resorting to patching xDS for a basic need is not optimal

@arkodg arkodg mentioned this issue Dec 15, 2023
Closed
@akhenakh akhenakh mentioned this issue Dec 18, 2023
Closed
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Dec 23, 2023
@zhaohuabing zhaohuabing mentioned this issue Jan 3, 2024
Closed
@arkodg arkodg assigned zhaohuabing and unassigned akhenakh Jan 12, 2024
@arkodg arkodg removed the stale label Jan 12, 2024
@zhaohuabing zhaohuabing mentioned this issue Jan 12, 2024
Merged
@zhaohuabing zhaohuabing mentioned this issue Jan 30, 2024
Merged
@arkodg arkodg mentioned this issue Feb 1, 2024
Closed
@github-actions GitHub Actions
Copy link

This issue has been automatically marked as stale because it has not had activity in the last 30 days.

@github-actions github-actions bot added the stale label Feb 11, 2024
@arkodg arkodg closed this as completed Feb 16, 2024
This was referenced Feb 16, 2024
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zhaohuabing zhaohuabing

Labels
area/policy kind/enhancement New feature or request stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(ext_authz): add external authorization akhenakh/gateway
4 participants
@akhenakh @zhaohuabing @arkodg @xervon