Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support metadata input in Mathching API #34092

Closed
zhaohuabing opened this issue May 10, 2024 · 8 comments · Fixed by #34891
Closed

Support metadata input in Mathching API #34092

zhaohuabing opened this issue May 10, 2024 · 8 comments · Fixed by #34891
Assignees
@vikaschoudhary16
Labels
area/matching enhancement Feature requests. Not bugs or questions.

Comments

@zhaohuabing
Copy link
Member

zhaohuabing commented May 10, 2024
edited
Loading

Title: Support metadata input in Matching API

Description:
The Matching API currently doesn't support Metata Input. It would be valuable if Envoy could support it.

For instance, we prefer using Matcher over RBAC rules for authorization due to its flexibility. However, while RBAC allows specifying metadata as the principal, the matcher API currently lacks this capability, limiting use cases such as JWT claims as principals.

The supported Matching Inputs: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api#extension-category-envoy-matching-http-input

@arkodg
@zhaohuabing zhaohuabing added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels May 10, 2024
@kyessenov
Copy link
Contributor

Sure, this would be a great addition, and can follow similar code to filter state input.

@zhaohuabing zhaohuabing mentioned this issue May 10, 2024
Closed
@vikaschoudhary16
Copy link
Contributor

Hey @zhaohuabing Are you working to implement it?

@zhaohuabing
Copy link
Member Author

Hey @zhaohuabing Are you working to implement it?

No, feel free to go ahead if you get time.

@ravenblackx ravenblackx added area/matching and removed triage Issue requires triage labels May 13, 2024
@vikaschoudhary16
Copy link
Contributor

/assign

@zetaab
Copy link

zetaab commented Jun 3, 2024
edited
Loading

@vikaschoudhary16 when you start implementing this, my use case is that I would like to use JWT claim like "email": "[email protected]" for RBAC. Also I would like to use JWT []string claims. That can be like "roles": ["foo", "bar"]. If these array claims are forwarded currently to backends as headers, these will be shown in headers as base64 encoded string. It is pretty difficult to do authorization for base64 encoded string. So is there somekind of shortcut to base64 decode and check is there value in array?

@zhaohuabing zhaohuabing mentioned this issue Jun 18, 2024
Open
@vikaschoudhary16 vikaschoudhary16 mentioned this issue Jun 25, 2024
Merged
@vikaschoudhary16
Copy link
Contributor

vikaschoudhary16 commented Jun 26, 2024
edited
Loading

@zetaab I have tested changes in the linked PR. If there is a claim like "roles": ["foo", "bar"] in the token, matcher which is added in the linked PR is able to authorize on specific claims like foo allowed and bar denied etc.

So is there somekind of shortcut to base64 decode and check is there value in array?

You can test with my PR your usecase, if you want to give it a quick try. Functionally it should be working.

@mathetake mathetake mentioned this issue Jun 28, 2024
Open
@yaroslavros
Copy link

This would also be extremely useful for ExtensionWithMatcher to allow doing things such as setting HTTP headers depending on a specific JWT match.
Looking forward to seeing this included in the mainline code.

@yaroslavros
Copy link

I can confirm that this patch indeed works nicely with ExtensionWithMatcher filter. For example, I can trigger HeaderMutation based on a specific metadata match (envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput input with type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata custom_match under single_predicate).

yanavlasov pushed a commit that referenced this issue Aug 5, 2024
@vikaschoudhary16
Matchers: Add dynamic metadata to the http inputs (#34891)
520d88e 
fixes: #34092

---------

Signed-off-by: Vikas Choudhary <[email protected]>
update-envoy bot added a commit to envoyproxy/data-plane-api that referenced this issue Aug 5, 2024
@update-envoy
Matchers: Add dynamic metadata to the http inputs (#34891)
6bda828 
fixes: envoyproxy/envoy#34092

---------

Signed-off-by: Vikas Choudhary <[email protected]>

Mirrored from https://github.com/envoyproxy/envoy @ 520d88e4cb4e8c5014531281a88dcc8076e18bfd
martinduke pushed a commit to martinduke/envoy that referenced this issue Aug 8, 2024
@vikaschoudhary16 @martinduke
Matchers: Add dynamic metadata to the http inputs (envoyproxy#34891)
a261806 
fixes: envoyproxy#34092

---------

Signed-off-by: Vikas Choudhary <[email protected]>
Signed-off-by: Martin Duke <[email protected]>
asingh-g pushed a commit to asingh-g/envoy that referenced this issue Aug 20, 2024
@vikaschoudhary16 @asingh-g
Matchers: Add dynamic metadata to the http inputs (envoyproxy#34891)
5346e1a 
fixes: envoyproxy#34092

---------

Signed-off-by: Vikas Choudhary <[email protected]>
Signed-off-by: asingh-g <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vikaschoudhary16 vikaschoudhary16

Labels
area/matching enhancement Feature requests. Not bugs or questions.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Matchers: Add dynamic metadata to the http inputs vikaschoudhary16/envoy
6 participants
@zhaohuabing @ravenblackx @kyessenov @vikaschoudhary16 @zetaab @yaroslavros