Proposal: Unified Matching in Access Control

[yangminzhu]

The design (https://shorturl.at/gkrM3) proposes to introduce a unified matching API for ext_authz and RBAC filter in order to support many complex access control scenarios and also simplify the matching code in Envoy.

This allows to support the following feature requests:

• ext_authz config per virtual host: ext_authz config per virtual host #11522
• rbac: support mixing allow/deny policies with precedence: rbac: support mixing allow/deny policies with precedence #9376
• and more use cases in the design doc.

@mattklein123 @htuch @lizan @rshriram @incfly @liminw , please let me know your thoughts and feel free to comment in the doc, thank you.

[rshriram]

@yangminzhu if we have the metadata matcher in ext authz that matches based on all the attributes, then we no longer have to worry about ext authz per host or even per filter metadata for ext authz right? Like RBAC, we could have a rich set of conditions that will decide whether or not the ext authz should kick in (these conditions will include attributes like the virtual host, other http headers, paths, etc.).

[yangminzhu]

if we have the metadata matcher in ext authz that matches based on all the attributes, then we no longer have to worry about ext authz per host or even per filter metadata for ext authz right?

@rshriram Yes, the proposal adds full matching support to the ext_authz as we already have in RBAC, which allows a much flexible way in configuring the ext_authz to be based on many different conditions (path, header, JWT, x509, source IP, etc.)

[mattklein123]

Just wanted to note that I am very interested in this proposal but I won't be able to look into 7/13. I would also like to see if we can incorporate the streaming tap matchers into this also.

[mattklein123]

I took a look at the proposal. My main comment (which I mentioned in the community meeting) is that I think this proposal needs to also cover TAP and its streaming concepts. Can we take a look at that also please?

[yangminzhu]

Sure and thanks for the comments Matt. I will look into the tap filter and see how can we support it in the proposal, will do some investigations and update the doc.

[yangminzhu]

@mattklein123

I have updated the doc for the support of tap filter and stream-based matching. I also completed a PoC PR here: #12317, Please let me know your thoughts, thank you.