server: add a CLI option to disable extensions#9125
Conversation
Add a new `--disable-extensions` flag that hides the named extensions from their corresponding factory registry. The extensions are retained in the registry factory, but the factory pointer is nulled so that configuration attempts to use the extensions will fail. This fixes envoyproxy#9096. Signed-off-by: James Peach <jpeach@apache.org>
Signed-off-by: James Peach <jpeach@apache.org>
/retest |
|
🐴 hold your horses - no failures detected, yet. |
|
I'm also looking for feedback on how to fully-qualify extension names. Should we do |
+1 to the latter. |
|
cc @yanavlasov @htuch, this will affect the reporting client capabilities too. |
|
@Shikugawa do you mind take a pass? |
include/envoy/registry/registry.h
Outdated
| if (it == factories().end()) { | ||
| return false; | ||
| } | ||
| it->second = nullptr; |
There was a problem hiding this comment.
Can we just erase the name from factories()?
There was a problem hiding this comment.
I avoided that because there's no locking around the lookup. That should not be a problem in practice with the current usage, but it makes me nervous :)
There was a problem hiding this comment.
Changing the value should make you as nervous as erase :) because they are not thread safe either.
There was a problem hiding this comment.
IIUC it's safe to change the pointer. It has no effect on concurrent lookups and and caller either gets the pointer or gets null. Since we don't deallocate the factory, either is OK. It's racy but not unsafe.
IIUC, there's 2 options here.
|
I prefer 1. |
|
On Nov 27, 2019, at 6:44 AM, Lizan Zhou ***@***.***> wrote:
When an extension is disabled, it is disabled for all its possible names
Only the given extension name is disabled, other names continue to resolve.
I prefer 1
Haha, I was leaning towards (2) so that you can disable just the deprecated names to test upgrade paths. Maybe a `—disable-extensions=deprecated”?
|
|
Those will be tested in DEPRECATED_FEATURE_TEST in the compile time options. It seems more confusing by doing 2 and that doesn't provide security protection either. |
Signed-off-by: James Peach <jpeach@apache.org>
When an extension is disabled, use the deprecated name tracking to disable it by all its possible names. Signed-off-by: James Peach <jpeach@apache.org>
Signed-off-by: James Peach <jpeach@apache.org>
Signed-off-by: James Peach <jpeach@apache.org>
|
@lizan Updated with review feedback. |
Signed-off-by: James Peach <jpeach@apache.org>
Signed-off-by: James Peach <jpeach@apache.org>
|
@lizan WDYT? I'd prefer to leave the lambda and disable deletion as it, but happy to discuss further. |
*Description:* Add a new `--disable-extensions` flag that hides the named extensions from their corresponding factory registry. The extensions are retained in the registry factory, but the factory pointer is nulled so that configuration attempts to use the extensions will fail. *Risk Level:* Medium *Testing:* Added unit tests, manual verification. *Docs Changes:* Added to CLI reference. *Release Notes:* Added release note. *Fixes:* envoyproxy#9096 Signed-off-by: James Peach <jpeach@apache.org> Signed-off-by: Prakhar <prakhar_au@yahoo.com>
Description:
Add a new
--disable-extensionsflag that hides the named extensionsfrom their corresponding factory registry. The extensions are retained
in the registry factory, but the factory pointer is nulled so that
configuration attempts to use the extensions will fail.
Risk Level: Medium
Testing: Added unit tests, manual verification.
Docs Changes: Added to CLI reference.
Release Notes: Added release note.
Fixes: #9096