Documentation ¶
Index ¶
- Variables
- type ExtAuthz
- func (*ExtAuthz) Descriptor() ([]byte, []int)
- func (m *ExtAuthz) GetFailureModeAllow() bool
- func (m *ExtAuthz) GetGrpcService() *core.GrpcService
- func (m *ExtAuthz) GetHttpService() *HttpService
- func (m *ExtAuthz) GetServices() isExtAuthz_Services
- func (m *ExtAuthz) Marshal() (dAtA []byte, err error)
- func (m *ExtAuthz) MarshalTo(dAtA []byte) (int, error)
- func (*ExtAuthz) ProtoMessage()
- func (m *ExtAuthz) Reset()
- func (m *ExtAuthz) Size() (n int)
- func (m *ExtAuthz) String() string
- func (m *ExtAuthz) Unmarshal(dAtA []byte) error
- func (m *ExtAuthz) Validate() error
- func (m *ExtAuthz) XXX_DiscardUnknown()
- func (m *ExtAuthz) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *ExtAuthz) XXX_Merge(src proto.Message)
- func (*ExtAuthz) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, ...)
- func (m *ExtAuthz) XXX_Size() int
- func (m *ExtAuthz) XXX_Unmarshal(b []byte) error
- type ExtAuthzValidationError
- type ExtAuthz_GrpcService
- type ExtAuthz_HttpService
- type HttpService
- func (*HttpService) Descriptor() ([]byte, []int)
- func (m *HttpService) GetAllowedAuthorizationHeaders() []string
- func (m *HttpService) GetAllowedRequestHeaders() []string
- func (m *HttpService) GetAuthorizationHeadersToAdd() []*core.HeaderValue
- func (m *HttpService) GetPathPrefix() string
- func (m *HttpService) GetServerUri() *core.HttpUri
- func (m *HttpService) Marshal() (dAtA []byte, err error)
- func (m *HttpService) MarshalTo(dAtA []byte) (int, error)
- func (*HttpService) ProtoMessage()
- func (m *HttpService) Reset()
- func (m *HttpService) Size() (n int)
- func (m *HttpService) String() string
- func (m *HttpService) Unmarshal(dAtA []byte) error
- func (m *HttpService) Validate() error
- func (m *HttpService) XXX_DiscardUnknown()
- func (m *HttpService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
- func (dst *HttpService) XXX_Merge(src proto.Message)
- func (m *HttpService) XXX_Size() int
- func (m *HttpService) XXX_Unmarshal(b []byte) error
- type HttpServiceValidationError
Constants ¶
This section is empty.
Variables ¶
var ( ErrInvalidLengthExtAuthz = fmt.Errorf("proto: negative length found during unmarshaling") ErrIntOverflowExtAuthz = fmt.Errorf("proto: integer overflow") )
Functions ¶
This section is empty.
Types ¶
type ExtAuthz ¶
type ExtAuthz struct { // Types that are valid to be assigned to Services: // *ExtAuthz_GrpcService // *ExtAuthz_HttpService Services isExtAuthz_Services `protobuf_oneof:"services"` // The filter's behaviour in case the external authorization service does // not respond back. When it is set to true, Envoy will also allow traffic in case of // an error occurs during the authorization process. // Defaults to false. FailureModeAllow bool `protobuf:"varint,2,opt,name=failure_mode_allow,json=failureModeAllow,proto3" json:"failure_mode_allow,omitempty"` XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
External Authorization filter calls out to an external service over either:
- gRPC Authorization API defined by :ref:`CheckRequest <envoy_api_msg_service.auth.v2alpha.CheckRequest>`.
- Raw HTTP Authorization server by passing the request headers to the service.
A failed check will cause this filter to close the HTTP request normally with 403 (Forbidden), unless a different status code has been indicated in the authorization response.
func (*ExtAuthz) Descriptor ¶
func (*ExtAuthz) GetFailureModeAllow ¶
func (*ExtAuthz) GetGrpcService ¶
func (m *ExtAuthz) GetGrpcService() *core.GrpcService
func (*ExtAuthz) GetHttpService ¶
func (m *ExtAuthz) GetHttpService() *HttpService
func (*ExtAuthz) GetServices ¶
func (m *ExtAuthz) GetServices() isExtAuthz_Services
func (*ExtAuthz) ProtoMessage ¶
func (*ExtAuthz) ProtoMessage()
func (*ExtAuthz) Validate ¶
Validate checks the field values on ExtAuthz with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.
func (*ExtAuthz) XXX_DiscardUnknown ¶
func (m *ExtAuthz) XXX_DiscardUnknown()
func (*ExtAuthz) XXX_Marshal ¶
func (*ExtAuthz) XXX_OneofFuncs ¶
func (*ExtAuthz) XXX_OneofFuncs() (func(msg proto.Message, b *proto.Buffer) error, func(msg proto.Message, tag, wire int, b *proto.Buffer) (bool, error), func(msg proto.Message) (n int), []interface{})
XXX_OneofFuncs is for the internal use of the proto package.
func (*ExtAuthz) XXX_Unmarshal ¶
type ExtAuthzValidationError ¶
ExtAuthzValidationError is the validation error returned by ExtAuthz.Validate if the designated constraints aren't met.
func (ExtAuthzValidationError) Error ¶
func (e ExtAuthzValidationError) Error() string
Error satisfies the builtin error interface
type ExtAuthz_GrpcService ¶
type ExtAuthz_GrpcService struct {
GrpcService *core.GrpcService `protobuf:"bytes,1,opt,name=grpc_service,json=grpcService,oneof"`
}
func (*ExtAuthz_GrpcService) MarshalTo ¶
func (m *ExtAuthz_GrpcService) MarshalTo(dAtA []byte) (int, error)
func (*ExtAuthz_GrpcService) Size ¶
func (m *ExtAuthz_GrpcService) Size() (n int)
type ExtAuthz_HttpService ¶
type ExtAuthz_HttpService struct {
HttpService *HttpService `protobuf:"bytes,3,opt,name=http_service,json=httpService,oneof"`
}
func (*ExtAuthz_HttpService) MarshalTo ¶
func (m *ExtAuthz_HttpService) MarshalTo(dAtA []byte) (int, error)
func (*ExtAuthz_HttpService) Size ¶
func (m *ExtAuthz_HttpService) Size() (n int)
type HttpService ¶
type HttpService struct { // Sets the HTTP server URI which the authorization requests must be sent to. ServerUri *core.HttpUri `protobuf:"bytes,1,opt,name=server_uri,json=serverUri" json:"server_uri,omitempty"` // Sets an optional prefix to the value of authorization request header *Path*. PathPrefix string `protobuf:"bytes,2,opt,name=path_prefix,json=pathPrefix,proto3" json:"path_prefix,omitempty"` // Sets a list of headers that can be sent from the authorization server to the upstream service, // or to the downstream client when present in the authorization response. Note that a matched // request header will have its value overridden by the ones sent from the authorization server. AllowedAuthorizationHeaders []string `` /* 137-byte string literal not displayed */ // Sets a list of headers that should be sent *from the filter* to the authorization server // when they are also present in the client request. Note that *Content-Length*, *Authority*, // *Method* and *Path* are always dispatched to the authorization server by default. The message // will not contain body data and the *Content-Length* will be set to zero. AllowedRequestHeaders []string `protobuf:"bytes,5,rep,name=allowed_request_headers,json=allowedRequestHeaders" json:"allowed_request_headers,omitempty"` // Sets a list of headers and their values that will be added to the request to external // authorization server. Note that these will override the headers coming from the downstream. AuthorizationHeadersToAdd []*core.HeaderValue `` /* 133-byte string literal not displayed */ XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_unrecognized []byte `json:"-"` XXX_sizecache int32 `json:"-"` }
External Authorization filter calls out to an upstream authorization server by passing the raw HTTP request headers to the server. This allows the authorization service to take a decision whether the request is authorized or not.
A successful check allows the authorization service adding or overriding headers from the original request before dispatching it to the upstream. This is done by configuring which headers in the authorization response should be sent to the upstream. See *allowed_authorization_headers* bellow.
A failed check will cause this filter to close the HTTP request with 403 (Forbidden), unless a different status code has been indicated by the authorization server via response headers.
If an error happens during the checking process, two situations may occur depending on the filter's configuration:
- When *failure_mode_allow* is true, traffic will be allowed in the presence of an error. This includes any of the HTTP 5xx errors, or a communication failure between the filter and the authorization server.
- When *failure_mode_allow* is false, the filter will *always* return a *Forbidden response* to the client. It will *not allow* traffic to the upstream in the presence of an error. This includes any of the HTTP 5xx errors, or a communication failure between the filter and the authorization server.
Note that filter will produce stats on error. See *Statistics* at :ref:`configuration overview <config_http_filters_ext_authz>`.
func (*HttpService) Descriptor ¶
func (*HttpService) Descriptor() ([]byte, []int)
func (*HttpService) GetAllowedAuthorizationHeaders ¶
func (m *HttpService) GetAllowedAuthorizationHeaders() []string
func (*HttpService) GetAllowedRequestHeaders ¶
func (m *HttpService) GetAllowedRequestHeaders() []string
func (*HttpService) GetAuthorizationHeadersToAdd ¶ added in v0.6.0
func (m *HttpService) GetAuthorizationHeadersToAdd() []*core.HeaderValue
func (*HttpService) GetPathPrefix ¶
func (m *HttpService) GetPathPrefix() string
func (*HttpService) GetServerUri ¶
func (m *HttpService) GetServerUri() *core.HttpUri
func (*HttpService) Marshal ¶
func (m *HttpService) Marshal() (dAtA []byte, err error)
func (*HttpService) ProtoMessage ¶
func (*HttpService) ProtoMessage()
func (*HttpService) Reset ¶
func (m *HttpService) Reset()
func (*HttpService) Size ¶
func (m *HttpService) Size() (n int)
func (*HttpService) String ¶
func (m *HttpService) String() string
func (*HttpService) Unmarshal ¶
func (m *HttpService) Unmarshal(dAtA []byte) error
func (*HttpService) Validate ¶
func (m *HttpService) Validate() error
Validate checks the field values on HttpService with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.
func (*HttpService) XXX_DiscardUnknown ¶
func (m *HttpService) XXX_DiscardUnknown()
func (*HttpService) XXX_Marshal ¶
func (m *HttpService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error)
func (*HttpService) XXX_Merge ¶
func (dst *HttpService) XXX_Merge(src proto.Message)
func (*HttpService) XXX_Size ¶
func (m *HttpService) XXX_Size() int
func (*HttpService) XXX_Unmarshal ¶
func (m *HttpService) XXX_Unmarshal(b []byte) error
type HttpServiceValidationError ¶
HttpServiceValidationError is the validation error returned by HttpService.Validate if the designated constraints aren't met.
func (HttpServiceValidationError) Error ¶
func (e HttpServiceValidationError) Error() string
Error satisfies the builtin error interface