External Authorization

The external authorization filter calls an external gRPC or HTTP service to check whether an incoming HTTP request is authorized or not. If the request is deemed unauthorized, then the request will be denied normally with 403 (Forbidden) response. Note that sending additional custom metadata from the authorization service to the upstream, to the downstream or to the authorization service is also possible. This is explained in more details at HTTP filter.

The content of the requests that are passed to an authorization service is specified by CheckRequest.

The HTTP filter, using a gRPC/HTTP service, can be configured as follows. You can see all the configuration options at HTTP filter.

Configuration Examples

A sample filter configuration for a gRPC authorization server:

  1. http_filters:
  2.   - name: envoy.filters.http.ext_authz
  3.     typed_config:
  4.       "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
  5.       grpc_service:
  6.         envoy_grpc:
  7.           cluster_name: ext-authz
  9.         # Default is 200ms; override if your server needs e.g. warmup time.
  10.         timeout: 0.5s
  11.       include_peer_certificate: true
  1. clusters:
  2.   - name: ext-authz
  3.     type: static
  4.     http2_protocol_options: {}
  5.     load_assignment:
  6.       cluster_name: ext-authz
  7.       endpoints:
  8.       - lb_endpoints:
  9.         - endpoint:
  10.             address:
  11.               socket_address:
  12.                 address: 127.0.0.1
  13.                 port_value: 10003
  15.     # This timeout controls the initial TCP handshake timeout - not the timeout for the
  16.     # entire request.
  17.     connect_timeout: 0.25s

Note

One of the features of this filter is to send HTTP request body to the configured gRPC authorization server as part of the check request.

A sample configuration is as follows:

  1. http_filters:
  2.   - name: envoy.filters.http.ext_authz
  3.     typed_config:
  4.       "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
  5.       grpc_service:
  6.         envoy_grpc:
  7.           cluster_name: ext-authz
  8.       with_request_body:
  9.         max_request_bytes: 1024
  10.         allow_partial_message: true
  11.         pack_as_bytes: true

Please note that by default check request carries the HTTP request body as UTF-8 string and it fills the body field. To pack the request body as raw bytes, it is needed to set pack_as_bytes field to true. In effect to that, the raw_body field will be set and body field will be empty.

A sample filter configuration for a raw HTTP authorization server:

  1. http_filters:
  2.   - name: envoy.filters.http.ext_authz
  3.     typed_config:
  4.       "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
  5.       http_service:
  6.           server_uri:
  7.             uri: 127.0.0.1:10003
  8.             cluster: ext-authz
  9.             timeout: 0.25s
  10.             failure_mode_allow: false
  11.       include_peer_certificate: true
  1. clusters:
  2.   - name: ext-authz
  3.     connect_timeout: 0.25s
  4.     type: logical_dns
  5.     lb_policy: round_robin
  6.     load_assignment:
  7.       cluster_name: ext-authz
  8.       endpoints:
  9.       - lb_endpoints:
  10.         - endpoint:
  11.             address:
  12.               socket_address:
  13.                 address: 127.0.0.1
  14.                 port_value: 10003

Per-Route Configuration

A sample virtual host and route filter configuration. In this example we add additional context on the virtual host, and disabled the filter for /static prefixed routes.

  1. route_config:
  2.   name: local_route
  3.   virtual_hosts:
  4.   - name: local_service
  5.     domains: ["*"]
  6.     typed_per_filter_config:
  7.       envoy.filters.http.ext_authz:
  8.         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
  9.         check_settings:
  10.           context_extensions:
  11.             virtual_host: local_service
  12.     routes:
  13.     - match: { prefix: "/static" }
  14.       route: { cluster: some_service }
  15.       typed_per_filter_config:
  16.         envoy.filters.http.ext_authz:
  17.           "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute
  18.           disabled: true
  19.     - match: { prefix: "/" }
  20.       route: { cluster: some_service }

Statistics

The HTTP filter outputs statistics in the cluster.<route target cluster>.ext_authz. namespace.

Name

Type

Description

ok

Counter

Total responses from the filter.

error

Counter

Total errors (including timeouts) contacting the external service.

timeout

Counter

Total timeouts contacting the external service (only counted when timeout is measured when check request is created).

denied

Counter

Total responses from the authorizations service that were to deny the traffic.

disabled

Counter

Total requests that are allowed without calling external services due to the filter is disabled.

failure_mode_allowed

Counter

Total requests that were error(s) but were allowed through because of failure_mode_allow set to true.

Dynamic Metadata

Note

The External Authorization filter emits dynamic metadata only when it is configured to use gRPC service as the authorization server.

The External Authorization filter emits dynamic metadata as an opaque google.protobuf.Struct only when the gRPC authorization server returns a CheckResponse with a filled dynamic_metadata field.

Runtime

The fraction of requests for which the filter is enabled can be configured via the runtime_key value of the filter_enabled field.