-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support metadata input in Mathching API #34092
Comments
Sure, this would be a great addition, and can follow similar code to filter state input. |
Hey @zhaohuabing Are you working to implement it? |
No, feel free to go ahead if you get time. |
/assign |
@vikaschoudhary16 when you start implementing this, my use case is that I would like to use JWT claim like "email": "[email protected]" for RBAC. Also I would like to use JWT []string claims. That can be like "roles": ["foo", "bar"]. If these array claims are forwarded currently to backends as headers, these will be shown in headers as base64 encoded string. It is pretty difficult to do authorization for base64 encoded string. So is there somekind of shortcut to base64 decode and check is there value in array? |
@zetaab I have tested changes in the linked PR. If there is a claim like "roles": ["foo", "bar"] in the token, matcher which is added in the linked PR is able to authorize on specific claims like foo allowed and bar denied etc.
You can test with my PR your usecase, if you want to give it a quick try. Functionally it should be working. |
This would also be extremely useful for ExtensionWithMatcher to allow doing things such as setting HTTP headers depending on a specific JWT match. |
I can confirm that this patch indeed works nicely with ExtensionWithMatcher filter. For example, I can trigger HeaderMutation based on a specific metadata match (envoy.extensions.matching.common_inputs.network.v3.DynamicMetadataInput input with type.googleapis.com/envoy.extensions.matching.input_matchers.metadata.v3.Metadata custom_match under single_predicate). |
fixes: #34092 --------- Signed-off-by: Vikas Choudhary <[email protected]>
fixes: envoyproxy/envoy#34092 --------- Signed-off-by: Vikas Choudhary <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ 520d88e4cb4e8c5014531281a88dcc8076e18bfd
fixes: envoyproxy#34092 --------- Signed-off-by: Vikas Choudhary <[email protected]> Signed-off-by: Martin Duke <[email protected]>
fixes: envoyproxy#34092 --------- Signed-off-by: Vikas Choudhary <[email protected]> Signed-off-by: asingh-g <[email protected]>
Title: Support metadata input in Matching API
Description:
The Matching API currently doesn't support Metata Input. It would be valuable if Envoy could support it.
For instance, we prefer using Matcher over RBAC rules for authorization due to its flexibility. However, while RBAC allows specifying metadata as the principal, the matcher API currently lacks this capability, limiting use cases such as JWT claims as principals.
The supported Matching Inputs: https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/advanced/matching/matching_api#extension-category-envoy-matching-http-input
@arkodg
The text was updated successfully, but these errors were encountered: