-
Notifications
You must be signed in to change notification settings - Fork 4.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
auth: new api auth implementation (#36968)
Commit Message: auth: new api auth implementation Additional Description: To close #34877 Risk Level: low. New extension. Testing: unit, integration. Docs Changes: added. Release Notes: added. Platform Specific Features: n/a. --------- Signed-off-by: wangbaiping/wbpcode <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]> Signed-off-by: code <[email protected]> Co-authored-by: Adi (Suissa) Peleg <[email protected]> Co-authored-by: yanavlasov <[email protected]>
- Loading branch information
1 parent
b7c429f
commit d2dbc05
Showing
23 changed files
with
1,748 additions
and
24 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
89 changes: 89 additions & 0 deletions
89
docs/root/configuration/http/http_filters/_include/api-key-auth-filter.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,89 @@ | ||
static_resources: | ||
listeners: | ||
- name: listener_0 | ||
address: | ||
socket_address: | ||
protocol: TCP | ||
address: 0.0.0.0 | ||
port_value: 10000 | ||
filter_chains: | ||
- filters: | ||
- name: envoy.filters.network.http_connection_manager | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager | ||
stat_prefix: ingress_http | ||
route_config: | ||
name: local_route | ||
virtual_hosts: | ||
- name: local_service | ||
domains: ["*"] | ||
routes: | ||
- match: | ||
path: "/admin" | ||
route: | ||
cluster: upstream_com | ||
typed_per_filter_config: | ||
api_key_auth: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuthPerRoute | ||
key_sources: | ||
- query: api_key | ||
allowed_clients: | ||
- another_client | ||
- match: | ||
path: "/special" | ||
route: | ||
cluster: upstream_com | ||
typed_per_filter_config: | ||
api_key_auth: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuthPerRoute | ||
credentials: | ||
- key: special_key | ||
client: special_client | ||
key_sources: | ||
- header: X-Special-Key | ||
- match: | ||
prefix: "/static" | ||
route: | ||
cluster: upstream_com | ||
typed_per_filter_config: | ||
api_key_auth: | ||
"@type": type.googleapis.com/envoy.config.route.v3.FilterConfig | ||
disabled: true | ||
- match: | ||
prefix: "/" | ||
route: | ||
cluster: upstream_com | ||
http_filters: | ||
- name: api_key_auth | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuth | ||
credentials: | ||
- key: one_key | ||
client: one_client | ||
- key: another_key | ||
client: another_client | ||
key_sources: | ||
- header: Authorization | ||
- name: envoy.filters.http.router | ||
typed_config: | ||
'@type': type.googleapis.com/envoy.extensions.filters.http.router.v3.Router | ||
clusters: | ||
- name: upstream_com | ||
type: LOGICAL_DNS | ||
# Comment out the following line to test on v6 networks | ||
dns_lookup_family: V4_ONLY | ||
lb_policy: ROUND_ROBIN | ||
load_assignment: | ||
cluster_name: service_upstream_com | ||
endpoints: | ||
- lb_endpoints: | ||
- endpoint: | ||
address: | ||
socket_address: | ||
address: upstream.com | ||
port_value: 443 | ||
transport_socket: | ||
name: envoy.transport_sockets.tls | ||
typed_config: | ||
"@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext | ||
sni: upstream.com |
94 changes: 94 additions & 0 deletions
94
docs/root/configuration/http/http_filters/api_key_auth_filter.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,94 @@ | ||
.. _config_http_filters_api_key_auth: | ||
|
||
API key auth | ||
============ | ||
|
||
This HTTP filter can be used to authenticate users based on the unique API key. The filter will | ||
extract the API keys from either an HTTP header, a parameter query, or a cookie and verify them against | ||
the configured credential list. | ||
|
||
If the API key is valid and the related client is allowed, the request will be allowed to continue. | ||
If the API key is invalid or not exists, the request will be denied with 401 status code. | ||
If the API key is valid but the related client is not allowed, the request will be denied with | ||
403 status code. | ||
|
||
Configuration | ||
------------- | ||
|
||
* This filter should be configured with the type URL ``type.googleapis.com/envoy.extensions.filters.http.api_key_auth.v3.ApiKeyAuth``. | ||
* :ref:`v3 API reference <envoy_v3_api_msg_extensions.filters.http.api_key_auth.v3.ApiKeyAuth>` | ||
|
||
An example configuration of the filter may look like the following: | ||
|
||
.. literalinclude:: _include/api-key-auth-filter.yaml | ||
:language: yaml | ||
:lines: 57-66 | ||
:linenos: | ||
:caption: :download:`api-key-auth-filter.yaml <_include/api-key-auth-filter.yaml>` | ||
|
||
Per-Route Configuration | ||
----------------------- | ||
|
||
It's possible to override the filter's configuration for a specific scope like a route or virtual host. | ||
And the overriding configuration could be partial to override only credential list or to override only | ||
the API key source. | ||
|
||
And this filter also provides very limited authorization control. A simple ``allowed_clients`` could be | ||
configured for specific scope like a route or virtual host to allow or deny specific clients. | ||
|
||
An example scope specific configuration of the filter may look like the following: | ||
|
||
.. literalinclude:: _include/api-key-auth-filter.yaml | ||
:language: yaml | ||
:lines: 16-55 | ||
:linenos: | ||
:caption: :download:`api-key-auth-filter.yaml <_include/api-key-auth-filter.yaml>` | ||
|
||
In this example we customize key source for ``/admin`` route and only allow limited clients to access | ||
this route. We also customize the credential list for ``/special`` route and disable the filter for | ||
``/static`` route. | ||
|
||
Combining the per-route configuration example and the filter configuration example, given the following | ||
requests, the filter will behave as follows: | ||
|
||
.. code-block:: text | ||
# The request will be allowed because the API key is valid and the client is allowed. | ||
GET /admin?api_key=another_key HTTP/1.1 | ||
host: example.com | ||
# The request will be denied with 403 status code because the API key is valid but the client is | ||
# not allowed. | ||
GET /admin?api_key=one_key HTTP/1.1 | ||
host: example.com | ||
# The request will be denied with 401 status code because the API key is invalid. | ||
GET /admin?api_key=invalid_key HTTP/1.1 | ||
host: example.com | ||
# The request will be allowed because the API key is valid and no client validation is configured. | ||
GET /special HTTP/1.1 | ||
host: example.com | ||
X-Special-Key: "special_key" | ||
# The request will be allowed because the filter is disabled for specific route. | ||
GET /static HTTP/1.1 | ||
host: example.com | ||
# The request will be allowed because the API key is valid and no client validation is configured. | ||
GET / HTTP/1.1 | ||
host: example.com | ||
Authorization: "Bearer one_key" | ||
Statistics | ||
---------- | ||
|
||
The HTTP API key auth filter outputs statistics in the ``http.<stat_prefix>.api_key_auth.`` namespace. | ||
|
||
.. csv-table:: | ||
:header: Name, Type, Description | ||
:widths: 1, 1, 2 | ||
|
||
allowed, Counter, Total number of allowed requests | ||
unauthorized, Counter, Total number of requests that have invalid API key | ||
forbidden, Counter, Total number of requests that have valid API key but not allowed |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.