envoy icon indicating copy to clipboard operation
envoy copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Support metadata input in Mathching API

Open zhaohuabing opened this issue 1 year ago • 4 comments
trafficstars

Title: Support metadata input in Matching API

Description: The Matching API currently doesn't support Metata Input. It would be valuable if Envoy could support it.

For instance, we prefer using Matcher over RBAC rules for authorization due to its flexibility. However, while RBAC allows specifying metadata as the principal, the matcher API currently lacks this capability, limiting use cases such as JWT claims as principals.

The supported Matching Inputs: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api#extension-category-envoy-matching-http-input

@arkodg

zhaohuabing avatar May 10 '24 19:05 zhaohuabing

Sure, this would be a great addition, and can follow similar code to filter state input.

kyessenov avatar May 10 '24 19:05 kyessenov

Hey @zhaohuabing Are you working to implement it?

vikaschoudhary16 avatar May 12 '24 13:05 vikaschoudhary16

Hey @zhaohuabing Are you working to implement it?

No, feel free to go ahead if you get time.

zhaohuabing avatar May 12 '24 15:05 zhaohuabing

/assign

vikaschoudhary16 avatar May 13 '24 23:05 vikaschoudhary16

@vikaschoudhary16 when you start implementing this, my use case is that I would like to use JWT claim like "email": "[email protected]" for RBAC. Also I would like to use JWT []string claims. That can be like "roles": ["foo", "bar"]. If these array claims are forwarded currently to backends as headers, these will be shown in headers as base64 encoded string. It is pretty difficult to do authorization for base64 encoded string. So is there somekind of shortcut to base64 decode and check is there value in array?

zetaab avatar Jun 03 '24 19:06 zetaab

@zetaab I have tested changes in the linked PR. If there is a claim like "roles": ["foo", "bar"] in the token, matcher which is added in the linked PR is able to authorize on specific claims like foo allowed and bar denied etc.

So is there somekind of shortcut to base64 decode and check is there value in array?

You can test with my PR your usecase, if you want to give it a quick try. Functionally it should be working.

vikaschoudhary16 avatar Jun 26 '24 11:06 vikaschoudhary16

This would also be extremely useful for ExtensionWithMatcher to allow doing things such as setting HTTP headers depending on a specific JWT match. Looking forward to seeing this included in the mainline code.

yaroslavros avatar Jul 21 '24 20:07 yaroslavros

I can confirm that this patch indeed works nicely with ExtensionWithMatcher filter. For example, I can trigger HeaderMutation based on a specific metadata match (envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput input with type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata custom_match under single_predicate).

yaroslavros avatar Jul 22 '24 21:07 yaroslavros