Skip to content

rbac: add matched policy name in response code detail for RBAC filter#12912

Merged
alyssawilk merged 18 commits intoenvoyproxy:masterfrom
yangminzhu:rbac-flag
Sep 23, 2020
Merged

rbac: add matched policy name in response code detail for RBAC filter#12912
alyssawilk merged 18 commits intoenvoyproxy:masterfrom
yangminzhu:rbac-flag

Conversation

@yangminzhu
Copy link
Copy Markdown
Contributor

@yangminzhu yangminzhu commented Sep 1, 2020
edited
Loading

Commit Message: This patch adds the matched policy name in the response code detail for request denied by the RBAC filter.

Risk Level: Low
Testing: Added e2e tests and also tested manually
Docs Changes: Updated
Release Notes: Updated
Fixes #12873.
Signed-off-by: Yangmin Zhu ymzhu@google.com

@repokitteh-read-only
Copy link
Copy Markdown

repokitteh-read-only bot commented Sep 1, 2020

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to api/envoy/.
CC @envoyproxy/api-watchers: FYI only for changes made to api/envoy/.

🐱

Caused by: #12912 was opened by yangminzhu.

see: more, trace.

@yangminzhu yangminzhu mentioned this pull request Sep 1, 2020
Closed
@yangminzhu
Copy link
Copy Markdown
Contributor Author

yangminzhu commented Sep 1, 2020

cc @mattklein123 @alyssawilk @mandarjog

@yangminzhu
rbac: set response flag and detail for request denied by RBAC filter
d60599c 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
htuch
htuch reviewed Sep 1, 2020
View reviewed changes
kyessenov
kyessenov reviewed Sep 1, 2020
View reviewed changes
@yangminzhu
fix test
b45a8a7 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@snowp snowp assigned dio Sep 2, 2020
@yangminzhu
fix windows test
3612e7e 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
Copy link
Copy Markdown
Contributor Author

yangminzhu commented Sep 8, 2020

@dio @alyssawilk would you mind to take a look at this PR? thanks.

alyssawilk
alyssawilk reviewed Sep 8, 2020
View reviewed changes
alyssawilk
alyssawilk reviewed Sep 8, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@alyssawilk alyssawilk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great! Just a few requests and you should be good to go

@yangminzhu
add more tests and return none by default
e37796e 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@alyssawilk alyssawilk self-assigned this Sep 9, 2020
alyssawilk
alyssawilk reviewed Sep 9, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@alyssawilk alyssawilk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good once you do that one rename. @dio can you do a pass as well?

alyssawilk
alyssawilk reviewed Sep 9, 2020
View reviewed changes
@yangminzhu
update response detail
b88497d 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
Merge branch 'master' into rbac-flag
0e819cc 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
Copy link
Copy Markdown
Contributor Author

yangminzhu commented Sep 14, 2020

@dio @htuch could you take a look? thanks.

@yangminzhu yangminzhu mentioned this pull request Sep 15, 2020
Open
dio
dio reviewed Sep 15, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@dio dio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, was drowned by internal stuff. Looks good. A couple of comments.

@yangminzhu
fix format
a26364f 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
dio
dio reviewed Sep 16, 2020
View reviewed changes
dio
dio reviewed Sep 16, 2020
View reviewed changes
@yangminzhu
use absl::StrReplaceAll
cb7e916 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
update comment
d0cc9de 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
Merge branch 'master' into rbac-flag
a87604c 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
fix merge
ded30bf 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu yangminzhu changed the title rbac: set response flag and detail for request denied by RBAC filter rbac: add matched policy name in response code detail for RBAC filter Sep 22, 2020
@yangminzhu
undo API change
4dd126c 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
Merge branch 'master' into rbac-flag
4c95a84 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
Copy link
Copy Markdown
Contributor Author

yangminzhu commented Sep 22, 2020

sorry I force pushed the last 2 commits to fix the DCO issue, @dio Could you take a look again, I reverted the API change, thanks.

dio
dio reviewed Sep 22, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@dio dio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just one small nit. Thanks!

alyssawilk
alyssawilk reviewed Sep 22, 2020
View reviewed changes
@yangminzhu
add TODO
522fc21 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
alyssawilk
alyssawilk reviewed Sep 22, 2020
View reviewed changes
source/extensions/filters/network/rbac/rbac_filter.cc Outdated
if (engine_result_ == Allow) {
return Network::FilterStatus::Continue;
} else if (engine_result_ == Deny) {
callbacks_->connection().streamInfo().setResponseCodeDetails(
Copy link
Copy Markdown
Contributor

@alyssawilk alyssawilk Sep 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry I missed this earlier (I was focused on the filters/http part) but I don't think setting responseCodeDetails on the network filter makes sense per se. Response code details is an HTTP / L7 construct. Unfortunately I don't think there is a network (L4) equivalent for downstream. It might make more sense to add one than reuse the HTTP field.

Copy link
Copy Markdown
Contributor Author

@yangminzhu yangminzhu Sep 22, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

okay I reverted the change in the network filter, I feel we really should have a network equivalent, or maybe have a general RESPONSE_DETAILS so that it can be used in both L4 and L7?

@yangminzhu
undo rbac network filter
22525b0 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@yangminzhu
one more leftover
21c7cc5 
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
@alyssawilk
Copy link
Copy Markdown
Contributor

alyssawilk commented Sep 23, 2020

LGTM! @dio any final thoughts?

dio
dio approved these changes Sep 23, 2020
View reviewed changes
Copy link
Copy Markdown
Member

@dio dio left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! Thanks!

@alyssawilk alyssawilk merged commit d0b8177 into envoyproxy:master Sep 23, 2020
@yangminzhu yangminzhu deleted the rbac-flag branch September 29, 2020 00:35
@yangminzhu yangminzhu mentioned this pull request Sep 29, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kyessenov kyessenov kyessenov left review comments

+4 more reviewers

@mandarjog mandarjog mandarjog left review comments

@htuch htuch htuch left review comments

@dio dio dio approved these changes

@alyssawilk alyssawilk alyssawilk approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dio dio

@alyssawilk alyssawilk

Labels

api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Rbac: Disambiguate between rbac 403 and application 403

6 participants

@yangminzhu @alyssawilk @dio @mandarjog @kyessenov @htuch