rbac: add dynamic metadata to network level filter#4910
rbac: add dynamic metadata to network level filter#4910mattklein123 merged 7 commits intoenvoyproxy:masterfrom
Conversation
a48c2e0 to
43d53d9
Compare
|
/cc @quanjielin Could you take a look at this? Thanks. |
yangminzhu
left a comment
There was a problem hiding this comment.
Thanks for working on this.
8e969d0 to
0fdcbb4
Compare
|
@yangminzhu and @quanjielin / @rodaine any more comments on this? |
This commit enhances the network level RBAC filter by adding dynamic metadata to the connection's StreamInfo object. Signed-off-by: Venil Noronha <veniln@vmware.com>
Signed-off-by: Venil Noronha <veniln@vmware.com>
0fdcbb4 to
8d067fa
Compare
There was a problem hiding this comment.
@liminw @quanjielin
Can we merge this with the HTTP filter to use the same set of constants? Instead of two sets of constants representing essentially the same thing.
There was a problem hiding this comment.
we should make tcp/http aligned, the work could happen in this PR or separated PR.
There was a problem hiding this comment.
Unsure if renaming the HTTP metadata fields/values will cause any regression externally.
There was a problem hiding this comment.
From istio side, it's marked as Alpha feature, which is 'No guarantees on backward compatibility'.
|
/lgtm |
Signed-off-by: Venil Noronha <veniln@vmware.com>
4307545 to
9b7faa9
Compare
Signed-off-by: Venil Noronha <veniln@vmware.com>
Signed-off-by: Venil Noronha <veniln@vmware.com>
a5637fb to
7ffdcd8
Compare
Signed-off-by: Venil Noronha <veniln@vmware.com>
mattklein123
left a comment
There was a problem hiding this comment.
LGTM, a doc question. Thank you!
|
|
||
| class DynamicMetadataKeys { | ||
| public: | ||
| const std::string ShadowPolicyIdField{"shadow_effective_policyID"}; |
There was a problem hiding this comment.
Does this key and the other keys in this file need to be documented somewhere? Is the idea here that this is meant to be sent in logging data? If we have well known metadata keys I think they should be documented somewhere?
There was a problem hiding this comment.
It may be useful to document these constants as other filters may be able to augment Envoy's behavior based on these. I think that should be done along with the rename suggested in this comment in another PR.
There was a problem hiding this comment.
OK if you plan on doing a follow up, SGTM.
There was a problem hiding this comment.
Will do. Let me know if you have suggestions on where to document these.
There was a problem hiding this comment.
I'm not sure, maybe a new section on "well known dynamic metadata" under here: https://www.envoyproxy.io/docs/envoy/latest/configuration/configuration? I would take a look and see what feels right.
Description: This PR enhances the network level RBAC filter by adding dynamic metadata to the connection's
StreamInfoobject.Risk Level: Low
Testing: Updated tests
Docs Changes: N/A
Release Notes: Added a note about this change