RBAC Authenticated Principal

[ramaraochavali]

Is there any specific reason why RBAC authenticated principle looking URI SAN and if it is not available looking at Subject? Would it be OK to check URI SAN or DNS SAN of Subject in that order? It would be useful for people who does not have URI SAN in the certs.

Relevant links :
Docs :
https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/rbac/v2/rbac.proto#config-rbac-v2-principal-authenticated

Code:

envoy/source/extensions/filters/common/rbac/matchers.cc

Line 145 in 3e63182

if (uriSans.empty()) {

[ramaraochavali]

@mattklein123 any idea on why it was implemented like that and do you think it is reasonable to extend it to DNS type of SAN as I proposed? We have certs with DNS SAN would like to see if we can use this filter.

[mattklein123]

I don't recall the details. @lizan @PiotrSikora thoughts here?

[lizan]

Adding DNS SAN sounds reasonable to me.

[ramaraochavali]

Ok. Cool. Can you convert this to enhancement? I will fix it.

[ramaraochavali]

/assign @ramaraochavali