RBAC support for policy dark launch

[quanjielin]

#3552

2nd POC for #3552(1st POC: #3548).

1st POC(#3548) adds an enforcement_mode property at policy level, the problem of this approach is it won't be able to test policy deletion/replacement scenarios; also the implementation isn't correct(evaluation uses OR_rule may returns earlier even without applying dark launch policy)

To address issues mentioned above, this PR groups policies into two independent rules(enforcement/darklaunch) in RBAC config.

Signed-off-by: Quanjie Lin quanlin@google.com

[quanjielin]

/cc @qiwzhang @liminw @diemtvu @mattklein123 @rodaine

[rodaine]

Nice! I like this PoC better than #3548 but some of my comments from there also apply (ie, the name)

[rodaine]

is_dark_launch (and elsewhere)

[quanjielin]

updated to use enum.

[rodaine]

IIRC per the C++ style guide, this should look like: ..., /*is_dark_launch=*/ true)) {

Alternatively, use the enum you added in the protos instead so it's explicit.

[rodaine]

Can we add a test for triggering the dark path?

[quanjielin]

added in rbac_filter_test.cc

[qiwzhang]

use const std::vector& to avoid data copy

[quanjielin]

thanks, done.

[qiwzhang]

per c++ style guide, the variable name should be is_dark_launch

[quanjielin]

updated to use enum.

[diemtvu]

High level question: can we dark launch from rbac-disable to rbac-enable+rules with this? I guess you can simulate rbac-disable with a dummy rule (i.e action = DENY with no policies), but I wonder if there could be a cleaner way?

[quanjielin]

@diemtvu, another option I could think:
rbac engine has a engine_disabled_ property, which is always set to false by filter right now; we could add a boolean in RBAC config proto, and set engine_disabled_ from that value.

[diemtvu]

From what I see, I think we can remove this flag (engine_disabled_) completely, and make allowed function returns true (in active mode) if the rules is empty (the RBAC message, not the vector of policies). You can use separated boolean for this but not sure if it has clearer usability.

[diemtvu]

Probably do this only when there is actually 'darklaunch' policies, otherwise it could be confusing.

[quanjielin]

I think probably it's fine to log what user expected to see if they switch the mode ?

[diemtvu]

What mode? This means users will see counter for permissive_allowed all the time, even they do not provide any permissive rules. It seems confusing to me. Anyway, it's just my opinion.

[quanjielin]

updated to only evaluate/log only when permissive policies is set

[liminw]

@quanjielin @diemtvu "engine_disabled_" is used by per-route RBAC config.

I think if we leave the RBAC filter spec empty, the RBAC evaluation logic will not kick in. That is basically the RBAC disabled scenario you are thinking about.

@rodaine Correct me if I am wrong.

[quanjielin]

@liminw, agree, just did another commit which includes

1. remove required checking for RBAC.rules (which is for enforcement mode), it's empty indicates rbac disabled; so that we could test rbac disabled -> rbac enabled only for permissive mode case(RBAC.rules is empty, RBAC.permissive_rules is set)
2. thread rbac config to engine to make the code cleaner

Keep engine_disabled_ for per-route config, probably it also could be removed to re-use logic above from RBACPerRoute.RBAC ?

[yangminzhu]

This could also be removed?

[quanjielin]

as mentioned in above comment, keep this for now because of per-route config; it could be removed if we could decide disable from RBACPerRoute.RBAC field(which this PR uses in other places). I'm not familiar about the RBACPerRoute use case, wait @rodaine to comment whether it's safe to remove disable field from RBACPerRoute proto.

[yangminzhu]

I mean the if statement.

[quanjielin]

oh I misunderstand, done.

[mattklein123]

Quick note that we will need docs on this feature in the main filter config docs / arch overview. I think it's definitely worth calling out. I don't think it's necessary to release note it as we just added the main filter.

I haven't looked at the code yet, but LMK when the first round of reviews is done and I can take a look. Also note that DCO will need to be fixed. Feel free to keep reviewing and then when you are all satisfied squash/rebase force push to fix DCO and then I will review. Thanks!

[lizan]

as config_ is const, this shouldn't be here but in cluster. You can have policies_ and permissive_policies_ as a member. Creating PolicyMatcher is inefficient.

[quanjielin]

done.

[lizan]

the if and else is pretty similar, extract to a function.

[quanjielin]

seems no extra function needed after moving code around :)

[diemtvu]

What mode? This means users will see counter for permissive_allowed all the time, even they do not provide any permissive rules. It seems confusing to me. Anyway, it's just my opinion.

[diemtvu]

I'm still don't understand the purpose of this boolean. Can we just use the logic with the next two if you've just added?

[quanjielin]

I also feel it's not needed, it could be inferred from whether rules is set; removed it in c4f5e47. @rodaine let's know if I miss anything here.

[liminw]

Before we remove "[(validate.rules).message.required = true]", @rodaine can you please review this part? I think you had it there on purpose.

For RBAC disabled case, we can just leave the entire RBAC filter spec empty. RBAC filter will not be invoked in that case.

[rodaine]

See my other comment on the removal of disabled

[liminw]

Why is this removed?

[quanjielin]

as just mentioned in another comment, this field could be inferred from whether rules is set(same as logic used in other places in this PR), need @rodaine confirm though.

[rodaine]

This was originally added as an explicit indicator that the filter is disabled for the vhost/route. Likewise, making it by-convention (ie, the config.rbac.v2alpha.RBAC being unset in the above config) permits the pathological configuration of RBAC where the global filter has no policies defined at all.

[rodaine]

Can we just keep rules = 1? Otherwise, this would be a breaking change to anyone already consuming them. I understand the desire to clearly indicate that these are the actually enforced rules, but I think that can be accomplished in the comments.

[quanjielin]

done.

[rodaine]

please also reserve disabled

[quanjielin]

done.

[rodaine]

Can we change the last clause to: ...it is used to test how a new set of policies work before rolling out to production.?

[quanjielin]

done.

[rodaine]

For clarity, please drop the by the filter enforcement mode phrase from allowed/denied, and change the shadow ones to that would be allowed/denied access by the filter's shadow rules.

[quanjielin]

done.

[rodaine]

The passed in config cannot be nil (due to the reference in the engine's constructor), and the RBAC proto has validation to prevent it being set with no policies. We're just bypassing that by returning the zero value in the route specific config's constructor. The engine does not need to know about enabled/disabled as that's a function of the filter, though. This should be encoded in the filter's config logic, not the engine impl, IMO.

[rodaine]

can remove the raw string markers: "{}"

[quanjielin]

seems {} is needed(tried to remove it then test timeout..)

[rodaine]

sorry i meant replace R"EOF({})EOF" with just "{}"

[quanjielin]

done.

[rodaine]

please change back to 1 (and remove the reserved).

[quanjielin]

done.

[rodaine]

remove /denied

[quanjielin]

done.

[rodaine]

remove allowed/ (sorry wasn't clearer!)

[quanjielin]

done.

[rodaine]

is this used?

[rodaine]

can this be resolved at construction so we don't need to hold onto the RBAC config?

[quanjielin]

use two boolean member variables instead of holding config _? we could do that that but personally I don't feel too much differences (run-time also should be quick ?)

[lizan]

+1, you can make engine_ and shadow_engien_ an absl::optional

[quanjielin]

done, looks much cleaner now, thanks !

[lizan]

can you extract this part getRouteLocalConfig to another function? It is similar with engine above.

[quanjielin]

not necessary now as after getting rid of this function.

[lizan]

+1, you can make engine_ and shadow_engien_ an absl::optional

[yangminzhu]

Can we do not increase the stats when config_->isEnabled() is false? Otherwise I'm afraid the stats is not very useful as it is increased when rbac is not enabled.

[quanjielin]

updated the logic.

[yangminzhu]

encorced_rules -> rules in the comment?

[quanjielin]

thanks, done.

[diemtvu]

I suggest to use pointer (unique_ptr<Filters::Common::RBAC::RoleBasedAccessControlEngine>) for engine / shadow_engine, and create them conditionally in the constructor. Later, you then can simply check if engine_ == nullptr before running it. E.g:

RoleBasedAccessControlRouteSpecificFilterConfig::RoleBasedAccessControlRouteSpecificFilterConfig(const envoy::config::filter::http::rbac::v2::RBACPerRoute& per_route_config) config_(per_route_config.rbac()) {
  if (config_.has_rules()) {
    engine_.reset(new Filters::Common::RBAC::RoleBasedAccessControlEngineImpl(config_.rules());
  }
}

then later in decodeHeader

if (shadow_engine_) {
  if (shadow_engine_.allowed(*callbacks_->connection(), headers)) {
    config_->stats().shadow_allowed_.inc();
  } else {
    config_->stats().shadow_denied_.inc();
  }
}

if (engine_ == nullptr) {
 if (engine_.allowed(*callbacks_->connection(), headers)) {
    config_->stats().allowed_.inc();
    return Http::FilterHeadersStatus::Continue;
 } else {
    config_->stats().denied_.inc();
    //...
    return Http::FilterHeadersStatus::StopIteration;
 }
}
// engine_ == nullptr, equivalent to rbac disable. Always accept request.
return Http::FilterHeadersStatus::Continue;
}

[lizan]

See my comment above, you can use absl::optional instead of a pointer, and check if they are nullopt.

[diemtvu]

I would break this if to separate config_.isEnabled() == false to the different part that just return Continue (without counter) to be consistent. See example in the suggestion above.

[quanjielin]

thanks, done.

[lizan]

LGTM modulo 2 nits

[lizan]

nit: const

[quanjielin]

added.

[lizan]

nit: const

[quanjielin]

added

[lizan]

Thanks. PTAL @rodaine @mattklein123

[lizan]

You didn't have to squash again since DCO was OK.

[mattklein123]

LGTM, just some small comments. Cool!

[mattklein123]

I think this text is out of data for an old implementation? It doesn't make sense. I think you can just remove and leave to the documentation below to cover.

[quanjielin]

removed.

[mattklein123]

I would replace these two sentences with: "If absent, no enforcing RBAC policy will be applied."

[quanjielin]

done.

[mattklein123]

Replace two sentences with: "Shadow rules are not enforced by the filter (i.e., returning a 403) but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy with be applied."

[quanjielin]

done.

[mattklein123]

Add: "If absent, the global RBAC policy will be disabled for this route."

[quanjielin]

done.

[mattklein123]

"it is used to test that a..."

[quanjielin]

done.

[mattklein123]

s/prod/production here and elsewhere.

[quanjielin]

done.

[mattklein123]

nit: slash indent

[quanjielin]

updated.

[mattklein123]

nit: Enforced, Shadow

[quanjielin]

updated.

[mattklein123]

Can this derive from RoleBasedAccessControlRouteSpecificFilterConfig? all the code is basically the same.

[quanjielin]

Since RoleBasedAccessControlRouteSpecificFilterConfig is derived from RouteSpecificFilterConfig , I may prefer to keep RoleBasedAccessControlFilterConfig as it is.

[mattklein123]

LGTM. Will defer to @rodaine for any final comments.

[rodaine]

Awesome work! LGTM