External Authorization

The external authorization filter calls an external gRPC or HTTP service to check whether an incoming HTTP request is authorized or not. If the request is deemed unauthorized, then the request will be denied normally with 403 (Forbidden) response. Note that sending additional custom metadata from the authorization service to the upstream, to the downstream or to the authorization service is also possible. This is explained in more details at HTTP filter.

The content of the requests that are passed to an authorization service is specified by CheckRequest.

The HTTP filter, using a gRPC/HTTP service, can be configured as follows. You can see all the configuration options at HTTP filter.

Configuration Examples

A sample filter configuration for a gRPC authorization server:

  1. http_filters:
  2. - name: envoy.ext_authz
  3. config:
  4. grpc_service:
  5. envoy_grpc:
  6. cluster_name: ext-authz
  7. # Default is 200ms; override if your server needs e.g. warmup time.
  8. timeout: 0.5s
  1. clusters:
  2. - name: ext-authz
  3. type: static
  4. http2_protocol_options: {}
  5. load_assignment:
  6. cluster_name: ext-authz
  7. endpoints:
  8. - lb_endpoints:
  9. - endpoint:
  10. address:
  11. socket_address:
  12. address: 127.0.0.1
  13. port_value: 10003
  14. # This timeout controls the initial TCP handshake timeout - not the timeout for the
  15. # entire request.
  16. connect_timeout: 0.25s

A sample filter configuration for a raw HTTP authorization server:

  1. http_filters:
  2. - name: envoy.ext_authz
  3. config:
  4. http_service:
  5. server_uri:
  6. uri: 127.0.0.1:10003
  7. cluster: ext-authz
  8. timeout: 0.25s
  9. failure_mode_allow: false
  1. clusters:
  2. - name: ext-authz
  3. connect_timeout: 0.25s
  4. type: logical_dns
  5. lb_policy: round_robin
  6. load_assignment:
  7. cluster_name: ext-authz
  8. endpoints:
  9. - lb_endpoints:
  10. - endpoint:
  11. address:
  12. socket_address:
  13. address: 127.0.0.1
  14. port_value: 10003

Per-Route Configuration

A sample virtual host and route filter configuration. In this example we add additional context on the virtual host, and disabled the filter for /static prefixed routes.

  1. route_config:
  2. name: local_route
  3. virtual_hosts:
  4. - name: local_service
  5. domains: ["*"]
  6. per_filter_config:
  7. envoy.ext_authz:
  8. check_settings:
  9. context_extensions:
  10. virtual_host: local_service
  11. routes:
  12. - match: { prefix: "/static" }
  13. route: { cluster: some_service }
  14. per_filter_config:
  15. envoy.ext_authz:
  16. disabled: true
  17. - match: { prefix: "/" }
  18. route: { cluster: some_service }

Statistics

The HTTP filter outputs statistics in the cluster..ext_authz. namespace.

NameTypeDescription
okCounterTotal responses from the filter.
errorCounterTotal errors contacting the external service.
deniedCounterTotal responses from the authorizations service that were to deny the traffic.
failure_mode_allowedCounterTotal requests that were error(s) but were allowed through because of failure_mode_allow set to true.