External Authorization

The external authorization network filter calls an external authorization service to check if the incoming request is authorized or not. If the request is deemed unauthorized by the network filter then the connection will be closed.

Tip

It is recommended that this filter is configured first in the filter chain so that requests are authorized prior to rest of the filters processing the request.

The content of the request that are passed to an authorization service is specified by CheckRequest.

The network filter, gRPC service, can be configured as follows. You can see all the configuration options at Network filter.

Example

A sample filter configuration could be:

  1. filters:
  2.   - name: envoy.filters.network.ext_authz
  3.     typed_config:
  4.       "@type": type.googleapis.com/envoy.extensions.filters.network.ext_authz.v3.ExtAuthz
  5.       stat_prefix: ext_authz
  6.       grpc_service:
  7.         envoy_grpc:
  8.           cluster_name: ext-authz
  9.       include_peer_certificate: true
  11. clusters:
  12.   - name: ext-authz
  13.     type: static
  14.     typed_extension_protocol_options:
  15.       envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
  16.         "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions
  17.         explicit_http_config:
  18.           http2_protocol_options: {}
  19.     load_assignment:
  20.       cluster_name: ext-authz
  21.       endpoints:
  22.       - lb_endpoints:
  23.         - endpoint:
  24.             address:
  25.               socket_address:
  26.                 address: 127.0.0.1
  27.                 port_value: 10003

A sample request body to the specified auth service looks like

  1. {
  2.   "source":{
  3.     "address":{
  4.       "socket_address":{
  5.         "address": "172.17.0.1",
  6.         "port_value": 56746
  7.       }
  8.     }
  9.   }
  10.   "destination":{
  11.     "service": "www.bing.com",
  12.     "address":{
  13.       "socket_address": {
  14.         "address": "127.0.0.1",
  15.         "port_value": 10003
  16.       }
  17.     }
  18.   }
  19. }

Statistics

The network filter outputs statistics in the config.ext_authz. namespace.

Name

Type

Description

total

Counter

Total responses from the filter.

error

Counter

Total errors contacting the external service.

denied

Counter

Total responses from the authorizations service that were to deny the traffic.

disabled

Counter

Total requests that are allowed without calling external services due to the filter is disabled.

failure_mode_allowed

Counter

Total requests that were error(s) but were allowed through because of failure_mode_allow set to true.

ok

Counter

Total responses from the authorization service that were to allow the traffic.

cx_closed

Counter

Total connections that were closed.

active

Gauge

Total currently active requests in transit to the authorization service.

Dynamic Metadata

The External Authorization filter emits dynamic metadata as an opaque google.protobuf.Struct only when the gRPC authorization server returns a CheckResponse with a filled dynamic_metadata field.