Possible to configure retry policy for external authorization requests?

[enbohm]

Title: Retry policy for external authorization requests?

I'm using Envoy 1.9.0 and configured external authorization as described in https://www.envoyproxy.io/docs/envoy/v1.9.0/configuration/http_filters/ext_authz_filter#config-http-filters-ext-authz

It works as expected but sometimes the external authorization server respond with a 5xx status (could be either problems with the server, network, etc.). I haven't managed to configure a retry policy for these cases and wonder if it is possible to do this? Also, I can see that when this occurs, the actual response to the calling client is 403 which is actually a bit misleading and it might be better to propagate 5xx response codes from the authorization server.

So my questions are if retries are possible with authorization requests and if 5xx response codes can be propagates to the client?

Any hints are welcome!

[enbohm]

Anyone who could comment on the above? Feels like something that is really missing if this is the case since the whole design of Envoy is to enable fault tolerance characteristics of microservices - but has it been missed in this case?

[dio]

@gsagula WDYT?

[gsagula]

I actually have it already in the pipe, but sadly I haven't seen this question before. I think it's a great enhancement. What I have is exactly the same retry policy already implemented in Envoy:

retry_on: "5xx"
num_retries: 2
per_try_timeout_ms: 2000

[gsagula]

@enbohm Just out of curiosity. Did you try any of these retry strategies:
https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto#envoy-api-field-route-routeaction-retry-policy
https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto#envoy-api-field-route-virtualhost-retry-policy

[enbohm]

@gsagula I've tried retry polices but that did only retry when the targeting service/cluster was failing not the authorization request. For instance, the below config does retry when "my-service" fails:

match:
  prefix: "/apis/my-service/"
route:
 prefix_rewrite: "/"
 cluster: my_service
 retry_policy: {"retry_on": "5xx", "num_retries": 3}

but I can't figure out how to make my auth-service to inherit this policy. Currently, my auth. config looks like

name: envoy.ext_authz
config:
  http_service:
    server_uri:
      uri: http://authorization-service:8080
      cluster: ext-authz
      timeout: 2s

I'd like to be able to configure it something like this:

name: envoy.ext_authz
config:
  http_service:
    server_uri:
      uri: http://authorization-service:8080
      cluster: ext-authz
      timeout: 2s
      retry_policy: {"retry_on": "5xx", "num_retries": 3}

but that is currently not supported AFAIK (I'm running envoy 1.9.0). Also, as per #6119 design proposal, it would be great to have an option to propagate 5xx error codes instead of always returning 403.

[gdheller42]

GRPC Service as well... Something like this:

     - name: envoy.ext_authz
        config:
          grpc_service:
            envoy_grpc:
              cluster_name: authorization
            timeout: 5s
            retry_policy: {"retry_on": "5xx", "num_retries": 3}
          failure_mode_allow: false

[gdheller42]

I actually have it already in the pipe, but sadly I haven't seen this question before. I think it's a great enhancement. What I have is exactly the same retry policy already implemented in Envoy:

retry_on: "5xx"
num_retries: 2
per_try_timeout_ms: 2000

@gsagula Are you saying the retries on authz are already being added??

[gsagula]

@gdheller42 I have #6119 pretty much done. Just need to add a test. You should be able to use the Envoy's retry I believe.

[gdheller42]

@gsagula great thanks.. !!

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.