Envoy: ext_authz: config ignored if route does not specify cluster
As in #8262, the ext_authz filter is a no-op if a route is configured with a direct response action or redirect.
Notably, the filter uses the route/route_entry to obtain a ClusterInfoConstSharedPtr which is used for recording stats. Instead, I think that the filter should produce stats in the context's scope (see the JWT Authn filter, for example) and only produce cluster-specific stats if a cluster is available. In any event, it shouldn't silently skip auth.
A related corner case is that it's possible for the ext_authn response to modify headers and clear the route cache. The re-computed route might send proxy requests to a different cluster (or use a direct response or redirect) but the stats always go to the original cluster.
See also #8250 where the ext_authz filter produced no effect because the header used for cluster selection (via RouteAction.cluster_header) wasn't set yet.
zuercher
All 6 comments
/assign @nezdolik
zuercher
on 25 Sep 2019
@nezdolik cannot be assigned to this issue.
:cat:
Caused by: a https://github.com/envoyproxy/envoy/issues/8355#issuecomment-535124103 was created by @zuercher.
![repokitteh[bot] picture](https://avatars0.githubusercontent.com/in/16729?v=4&s=40)
repokitteh[bot]
on 25 Sep 2019
@nezdolik is going to work on this.
zuercher
on 25 Sep 2019
@zuercher mind assigning @nezdolik and removing help wanted?
derekargueta
on 10 Oct 2019
/assign
nezdolik
on 11 Oct 2019
nezdolik is not allowed to assign users.
:cat:
Caused by: a https://github.com/envoyproxy/envoy/issues/8355#issuecomment-540983612 was created by @nezdolik.
repokitteh[bot]
on 11 Oct 2019
Related issues
sabiurr
路
3Comments
alkov-ibm
路
3Comments
rshriram
路
3Comments
weixiao-huang
路
3Comments
lps0535
路
3Comments