Ambassador: Support GRPC external auth

Created on 30 Oct 2018  路  5Comments  路  Source: datawire/ambassador

Please describe your use case / problem.
I have an existing GRPC service supporting Envoy's [external auth] (https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/ext_authz_filter) protocol. I would like to use it with ambassador. However, Ambassador only supports configuring the http version of the protocol.

Describe the solution you'd like
I would like Ambassador to choose between the http and grpc version of the protocol by inspecting the scheme portion of the url provided to AuthService.auth_service as follows:

  • If the scheme is http, then the use the http protocol
  • If the scheme is grpc, then use the grpc protocol
  • If the scheme is undefined, then use the http protocol (for backwards compatibility)
  • If the scheme is anything else, error.

One unfortunate part to this is that the http and grpc configurations for the auth service are quite different, so the solution is not as simple as just passing the url down to envoy.

Describe alternatives you've considered
I could have rewritten the service, but that's not a very scaleable solution. :)

Additional context
I proposed this on the ambassador-dev slack channel. I also prototyped it.

Most helpful comment

Is there any documentation/sample code available demonstrating how to implement external auth via gRPC?

All 5 comments

I can probably do a PR for this in the next week or two. I just need a bit of time to clean up my prototype code and test out some stuff I didn't consider in it.

A PR over the release/0.50.0 branch would be wonderful!

Note that technically this is a duplicate of #63 -- I'm going to leave both of them open, though, since there's so much more information here.

Supported! as of 0.50.0-ea7.

Is there any documentation/sample code available demonstrating how to implement external auth via gRPC?

Was this page helpful?
0 / 5 - 0 ratings

Related issues

josephglanville picture josephglanville  路  3Comments

caiobegotti picture caiobegotti  路  4Comments

gregbacchus picture gregbacchus  路  3Comments

riker09 picture riker09  路  4Comments

cakuros picture cakuros  路  4Comments