Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: support ext_auth wasmplugin #1103

Merged
merged 15 commits into from
Jul 17, 2024
Merged

Conversation

hanxiantao
Copy link
Collaborator

@hanxiantao hanxiantao commented Jul 8, 2024

Ⅰ. Describe what this PR did

support ext_auth wasmplugin

Ⅱ. Does this pull request fix one issue?

fixes #895

Ⅲ. Why don't you add test cases (unit test/integration test)?

Ⅳ. Describe how to verify it

下面会使用httpbin做鉴权服务

调用鉴权服务with_request_body=false且200的场景:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    failure_mode_allow: true
    failure_mode_allow_header_add: true
    http_service:
      authorization_request:
      	allowed_headers:
        - exact: x-user-id
        - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: false
      endpoint:
        path: /post
        request_method: POST
        service_name: ext-auth
        service_port: 80
        service_source: ip
      timeout: 20000  
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

Get请求网关:

curl --location --request GET 'http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5' \
--header 'Host: foo.bar.com' \
--header 'Authorization: 123456' \
--header 'x-user-id: 111222' \
--header 'x-custom-1: 1' \
--header 'x-custom-2: 2'

调用认证服务成功,且传递了对应的请求头:

调用认证服务成功,且传递了对应的请求头

调用鉴权服务with_request_body=true且200的场景:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    failure_mode_allow: true
    failure_mode_allow_header_add: true
    http_service:
      authorization_request:
        allowed_headers:
        - exact: x-user-id
        - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
        with_request_body: true
      endpoint:
        path: /post
       	request_method: POST
        service_name: ext-auth
        service_port: 80
        service_source: ip
      timeout: 20000
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

Post请求网关:

curl -kvv --location --request POST 'http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5' \
--header 'Host: foo.bar.com' \
--header 'Authorization: 123456' \
--header 'x-user-id: 111222' \
--header 'x-custom-1: 1' \
--header 'x-custom-2: 2' \
--header 'Content-Type: application/json' \
--data-raw '{"test":"123456"}'

调用认证服务成功,且传递了request body和对应的请求头:

调用鉴权服务200的场景

模拟调用鉴权服务500的场景:

wasmplugin.yam:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    failure_mode_allow: false
    failure_mode_allow_header_add: false
    http_service:
      authorization_request:
        allowed_headers:
        - exact: x-user-id
      	- prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
      endpoint:
        path: /status/500
        request_method: POST
        service_name: ext-auth
        service_port: 80
        service_source: ip
      timeout: 20000
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

Post请求网关:

curl -kvv --location --request GET 'http://localhost:8082/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5' \
--header 'Host: foo.bar.com' \
--header 'Authorization: 123456' \
--header 'x-user-id: 111222' \
--header 'x-custom-1: 1' \
--header 'x-custom-2: 2'

调用认证服务500,但failure_mode_allow为false,返回403:

调用认证服务500,但failure_mode_allow为false,返回403

调用认证服务500,但failure_mode_allow为false,返回403 2

模拟调用鉴权服务500且failure_mode_allow=true的场景:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    failure_mode_allow: true
    failure_mode_allow_header_add: true
    http_service:
      authorization_request:
        allowed_headers:
        - exact: x-user-id
      	- prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
      endpoint:
        path: /status/500
        request_method: POST
        service_name: ext-auth
        service_port: 80
        service_source: ip
      timeout: 20000
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

调用认证服务500,但failure_mode_allow为true,依然会调用下游并传递了x-envoy-auth-failure-mode-allowed=true的请求头,最终返回200:

网关日志如下:

[Envoy (Epoch 0)] [2024-07-15 23:54:04.604][41][debug][wasm] wasm log higress-system.test: http call start, id: 78168633-4701-4781-8424-72fdcfe8e37f, cluster: outbound|80||ext-auth.static, method: POST, path: /status/500, body: , timeout: 20000
[Envoy (Epoch 0)] [2024-07-15 23:54:04.608][41][critical][wasm] wasm log higress-system.test: failed to get response body: error status returned by host: not found
[Envoy (Epoch 0)] [2024-07-15 23:54:04.608][41][debug][wasm] wasm log higress-system.test: http call end, id: 78168633-4701-4781-8424-72fdcfe8e37f, code: 500, normal: true, body:
[Envoy (Epoch 0)] [2024-07-15 23:54:04.608][41][error][wasm] wasm log higress-system.test: [ext-auth] failed to call ext auth server, status: 500
{"authority":"foo.bar.com","bytes_received":"0","bytes_sent":"4","downstream_local_address":"127.0.0.1:80","downstream_remote_address":"127.0.0.1:39582","duration":"5","istio_policy_status":"-","method":"GET","path":"/https/github.com/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5","protocol":"HTTP/1.1","request_id":"814e2437-2993-4b55-b4d9-ca463aae0b69","requested_server_name":"-","response_code":"200","response_flags":"-","route_name":"foo","start_time":"2024-07-15T23:54:04.604Z","trace_id":"67998b27377e9d5977651d3754f6e612","upstream_cluster":"outbound|5678||foo-service.default.svc.cluster.local","upstream_host":"10.244.0.11:5678","upstream_local_address":"10.244.0.14:47122","upstream_service_time":"0","upstream_transport_failure_reason":"-","user_agent":"curl/8.1.2","x_forwarded_for":"10.244.0.14","x-envoy-auth-failure-mode-allowed":"true","Custom-Header":"-"}

调用认证服务500,但failure_mode_allow为true,依然会调用下游2

allowed_upstream_headers将鉴权服务返回的响应头传递到下游:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
      	allowed_headers:
        - exact: x-user-id
        - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2
      authorization_response:
        allowed_upstream_headers:
          - prefix: Custom-
      endpoint:
        path: /response-headers?Custom-Header=MyHeaderValue
        service_name: ext-auth
        service_port: 80
        service_source: ip
        timeout: 20000
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

调用认证服务200,认证服务返回了Custom-Header的响应头,会传递给下游服务:

[Envoy (Epoch 0)] [2024-07-16 00:04:45.469][41][debug][wasm] wasm log higress-system.test: http call start, id: 4fd7c10e-8df6-4db9-874d-0735df0aac2d, cluster: outbound|80||ext-auth.static, method: POST, path: /response-headers?Custom-Header=MyHeaderValue, body: , timeout: 200
[Envoy (Epoch 0)] [2024-07-16 00:04:45.490][41][debug][wasm] wasm log higress-system.test: http call end, id: 4fd7c10e-8df6-4db9-874d-0735df0aac2d, code: 200, normal: true, body: {
"Content-Length": "106",
"Content-Type": "application/json",
"Custom-Header": "MyHeaderValue"
}
{"authority":"foo.bar.com","bytes_received":"0","bytes_sent":"4","downstream_local_address":"127.0.0.1:80","downstream_remote_address":"127.0.0.1:35750","duration":"43","istio_policy_status":"-","method":"GET","path":"/https/github.com/foo?apikey=9a342114-ba8a-11ec-b1bf-00163e1250b5","protocol":"HTTP/1.1","request_id":"b99c9b62-4b17-4b10-8d28-663be60bb5c4","requested_server_name":"-","response_code":"200","response_flags":"-","route_name":"foo","start_time":"2024-07-16T00:04:45.451Z","trace_id":"fc2eef4386ecc595dea724095f28ae55","upstream_cluster":"outbound|5678||foo-service.default.svc.cluster.local","upstream_host":"10.244.0.11:5678","upstream_local_address":"10.244.0.14:44194","upstream_service_time":"2","upstream_transport_failure_reason":"-","user_agent":"curl/8.1.2","x_forwarded_for":"10.244.0.14","x-envoy-auth-failure-mode-allowed":"-","Custom-Header":"MyHeaderValue"}

模拟调用鉴权服务500的场景且设置了allowed_client_headers的场景:

未设置allowed_client_headers时

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        allowed_headers:
        - exact: x-user-id
        - prefix: x-custom-
        headers_to_add:
          key1: value1
          key2: value2  
      authorization_response:
        allowed_upstream_headers:
          - prefix: Custom-
      endpoint:
        path: /auth
        service_name: ext-auth2
        service_port: 80
        service_source: ip
        timeout: 20000
    status_on_error: 401
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

请求返回认证服务返回的所有的响应头

请求返回认证服务返回的所有的响应头

设置allowed_client_headers只返回x-custom-header

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: test
  namespace: higress-system
spec:
  defaultConfig:
    http_service:
      authorization_request:
        headers_to_add:
          key1: value1
          key2: value2
        allowed_headers:
        - exact: x-user-id
        - prefix: x-custom-  
      authorization_response:
        allowed_upstream_headers:
          - prefix: Custom-
        allowed_client_headers:
          - exact: X-Custom-Header2
      endpoint:
        path: /auth
        service_name: ext-auth2
        service_port: 80
        service_source: ip
        timeout: 20000
    status_on_error: 401
  imagePullSecret: aliyun
  url: >-
    oci://registry.cn-hangzhou.aliyuncs.com/wasm-plugin/wasm-plugin:ext-auth-0.0.50

设置allowed_client_headers只返回x-custom-header

Ⅴ. Special notes for reviews

@hanxiantao
Copy link
Collaborator Author

ext_authz wasmplugin基本完成开发,还在测试中,可以先看下是否能满足你们的需求,或者有什么建议 @alexzzh @jaggerwang
配置方式参考了envoy原生filter:https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/ext_authz_filter

@jaggerwang
Copy link

大概浏览了一下代码和文档,能够满足我们的需求,非常感谢!另外能否给一个调用部署在 Kubernetes 中的认证鉴权服务的插件使用示例,假设认证鉴权服务的服务名为 user,端口 80,路径为 /auth,命名空间为 backend

@hanxiantao
Copy link
Collaborator Author

大概浏览了一下代码和文档,能够满足我们的需求,非常感谢!另外能否给一个调用部署在 Kubernetes 中的认证鉴权服务的插件使用示例,假设认证鉴权服务的服务名为 user,端口 80,路径为 /auth,命名空间为 backend

好的,我后续会完善下文档,添加上这个示例,感谢建议

@jaggerwang
Copy link

jaggerwang commented Jul 10, 2024

大概浏览了一下代码和文档,能够满足我们的需求,非常感谢!另外能否给一个调用部署在 Kubernetes 中的认证鉴权服务的插件使用示例,假设认证鉴权服务的服务名为 user,端口 80,路径为 /auth,命名空间为 backend

好的,我后续会完善下文档,添加上这个示例,感谢建议

示例里面 service_source 不是应该是 dns 吗,并需要填写 service_domain,类似下面这样:

spec:
  defaultConfig:
    http_service:
      server_uri:
        service_source: dns
        service_name: user.backend
        service_port: 80
        service_domain: user.backend.svc.cluster.local
        path: /auth

我大致看了下Cluster的实现,目前我的理解是service_source为dns应该对应的控制台中服务来源为DNS域名类型,Kubernetes中service对应的控制台中服务来源为Kubernetes类型
所以,我参考另一个wasm插件中的实现,新增了service_source类型为k8s和nacos的处理,service_source为k8s的我也做了验证,是可以调用通的
我晚一点按照你提供的方式再验证下,感谢

然后这块,目前还有authorization_response中的allowed_client_headers配置还没有验证,其他都已经验证过了,我会把这两个case都验证完,再转成正式的pr

@hanxiantao hanxiantao marked this pull request as ready for review July 10, 2024 14:22
@johnlanni
Copy link
Collaborator

cc @CH3CHO

@hanxiantao
Copy link
Collaborator Author

我晚点补充下matcher.go的单元测试,然后处理下和#1113 的代码冲突

# Conflicts:
#	plugins/wasm-go/extensions/cluster-key-rate-limit/README.md
#	plugins/wasm-go/extensions/cluster-key-rate-limit/go.mod
@hanxiantao
Copy link
Collaborator Author

我晚点补充下matcher.go的单元测试,然后处理下和#1113 的代码冲突

代码已提交,麻烦帮忙review下 @CH3CHO

plugins/wasm-go/extensions/ext-auth/README.md Outdated Show resolved Hide resolved
plugins/wasm-go/extensions/ext-auth/README.md Show resolved Hide resolved
plugins/wasm-go/pkg/wrapper/http_wrapper.go Outdated Show resolved Hide resolved

type Matcher interface {
Match(s string) bool
IgnoreCase() bool
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IgnoreCase 感觉像是一个操作,但实际是获取在比较时是否忽略大小写的标识。可以考虑改成 IsCaseInsensitive。

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

看到下面才意识到这个IgnoreCase是要让调用方先行处理的。这个设计不太好。不能因为外部的输入而影响自身的功能。要做的话也最好放到repeatedStringMatcher里,作为一个外部控制条件。

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

按照现在的功能,这个函数就应该叫ShallLoweredBeforeMatch,就很怪。

return buildRepeatedStringMatcher(matchers, false)
}

func BuildStringMatcher(matcher gjson.Result) (Matcher, error) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

为啥这个不支持ignoreCase?

}

// call ext auth server
err := config.httpService.client.Do(ctx.Method(), config.httpService.path, reconvertHeaders(extAuthReqHeaders), body,
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这儿有个疑问,ctx.Method() 是当前请求的 Method。但请求认证服务也是用这个 Method 吗?会不会出现二者不一样的情况?

@jaggerwang
Copy link

请问这个 PR 计划跟随哪个版本发布,v1.4.2 还是 v2.0,预计的发布时间是?

@hanxiantao
Copy link
Collaborator Author

请问这个 PR 计划跟随哪个版本发布,v1.4.2 还是 v2.0,预计的发布时间是?

新的代码我这边已经调整好了,晚上会再提交一版,顺利的话可以赶上下个版本发布,应该是v1.4.2(这个要看具体的发布时间)

@alexzzh
Copy link
Collaborator

alexzzh commented Jul 15, 2024

hello, 我们上次会议讨论的两个envoy原生支持的我们生产环境会用到的特性,,目前看下来是什么情况,可以沟通交流下?
1 向鉴权服务传递部分body, 而不是全量body
2 支持 pack_as_bytes true 指令效果,向鉴权服务传递二进制编码的body, 而非utf-8格式,以应对当 pack_as_bytes 使用默认值时,使用 thrift 协议时,请求体中的字节(0x80)会被转成(0x21),最终导致鉴权服务鉴权失败问题

pack_as_bytes 该指令在 envoy1.25.8 以下存在bug,配置了也会无效, 但在 envoy1.27 已经修复。

可以一步一步来,不一定要一下全部实现。

@hanxiantao
Copy link
Collaborator Author

hanxiantao commented Jul 15, 2024

hello, 我们上次会议讨论的两个envoy原生支持的我们生产环境会用到的特性,,目前看下来是什么情况,可以沟通交流下? 1 向鉴权服务传递部分body, 而不是全量body 2 支持 pack_as_bytes true 指令效果,向鉴权服务传递二进制编码的body, 而非utf-8格式,以应对当 pack_as_bytes 使用默认值时,使用 thrift 协议时,请求体中的字节(0x80)会被转成(0x21),最终导致鉴权服务鉴权失败问题

pack_as_bytes 该指令在 envoy1.25.8 以下存在bug,配置了也会无效, 但在 envoy1.27 已经修复。

可以一步一步来,不一定要一下全部实现。

嗯,我这边第一版可能暂不支持这个,配置上会预留出来,后续我研究下Envoy中的具体实现,然后看下是否能支持
我看了下其他网关的外部认证的插件实现,比如:ApiSix中forward-auth插件的实现目前也不包含这个配置,这个后续我也会研究下

@alexzzh
Copy link
Collaborator

alexzzh commented Jul 15, 2024

hello, 我们上次会议讨论的两个envoy原生支持的我们生产环境会用到的特性,,目前看下来是什么情况,可以沟通交流下? 1 向鉴权服务传递部分body, 而不是全量body 2 支持 pack_as_bytes true 指令效果,向鉴权服务传递二进制编码的body, 而非utf-8格式,以应对当 pack_as_bytes 使用默认值时,使用 thrift 协议时,请求体中的字节(0x80)会被转成(0x21),最终导致鉴权服务鉴权失败问题

pack_as_bytes 该指令在 envoy1.25.8 以下存在bug,配置了也会无效, 但在 envoy1.27 已经修复。

可以一步一步来,不一定要一下全部实现。

嗯,我这边第一版可能暂不支持这个,配置上会预留出来,后续我研究下Envoy中的具体实现,然后看下是否能支持 我看了下其他网关的外部认证的插件实现,比如:ApiSix中forward-auth插件的实现目前也不包含这个配置,这个后续我也会研究下

好的 非常感谢

@hanxiantao hanxiantao requested a review from CH3CHO July 16, 2024 00:35
@hanxiantao
Copy link
Collaborator Author

配置模式和相关代码已调整,麻烦有时间帮忙review下,感谢 @CH3CHO

@hanxiantao hanxiantao changed the title feat: support ext_authz wasmplugin feat: support ext_auth wasmplugin Jul 16, 2024
Copy link
Collaborator

@CH3CHO CH3CHO left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@CH3CHO CH3CHO merged commit c0f2caf into alibaba:main Jul 17, 2024
11 checks passed
@hanxiantao hanxiantao deleted the wasm-ext-authz branch July 17, 2024 09:25
@jaggerwang
Copy link

@CH3CHO 看 PR 已经合并,下个版本预计什么时候发了?我们现在打算使用 Higress 来作为我们的开放 API 的网关,等着用这个插件。这周会发版吗,如果不会那我们只能先考虑其它方案了,比如 Nginx Ingress Controller + Spring Cloud Gateway。

@CH3CHO
Copy link
Collaborator

CH3CHO commented Jul 18, 2024

@CH3CHO 看 PR 已经合并,下个版本预计什么时候发了?我们现在打算使用 Higress 来作为我们的开放 API 的网关,等着用这个插件。这周会发版吗,如果不会那我们只能先考虑其它方案了,比如 Nginx Ingress Controller + Spring Cloud Gateway。

如果只是插件的话,我可以先打个镜像。版本的话本周不一定,但这个月应该可以发。@jaggerwang

@jaggerwang
Copy link

jaggerwang commented Jul 18, 2024

好的,那麻烦先打个插件镜像,谢谢!

@CH3CHO
Copy link
Collaborator

CH3CHO commented Jul 18, 2024

好的,那麻烦先打个插件镜像,谢谢!

试一下这个:higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/ext-auth:1.0.0

@jaggerwang
Copy link

配置了外部认证服务,但貌似不起作用。

配置如下:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: ext-auth
spec:
  url: oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/ext-auth:1.0.0
  http_service:
    timeout: 1000
    endpoint:
      service_source: k8s
      namespace: basicai-backend
      service_name: user
      service_port: 80
      request_method: GET
      path: /auth/openApiAuth
    authorization_response:
      allowed_upstream_headers:
      - exact: X-Request-Context

无论是否带 Authorization 请求头,请求都成功了。
image
image

外部的认证接口确认可以从 higress-gateway 里正常访问,并且工作正常,不传递 Authorization 请求头返回了 401,传递了的话返回 200,并且会响应 X-Request-Context 头。
image
image

@hanxiantao
Copy link
Collaborator Author

配置了外部认证服务,但貌似不起作用。

配置如下:

apiVersion: extensions.higress.io/v1alpha1
kind: WasmPlugin
metadata:
  name: ext-auth
spec:
  url: oci://higress-registry.cn-hangzhou.cr.aliyuncs.com/plugins/ext-auth:1.0.0
  http_service:
    timeout: 1000
    endpoint:
      service_source: k8s
      namespace: basicai-backend
      service_name: user
      service_port: 80
      request_method: GET
      path: /auth/openApiAuth
    authorization_response:
      allowed_upstream_headers:
      - exact: X-Request-Context

无论是否带 Authorization 请求头,请求都成功了。 image image

外部的认证接口确认可以从 higress-gateway 里正常访问,并且工作正常,不传递 Authorization 请求头返回了 401,传递了的话返回 200,并且会响应 X-Request-Context 头。 image image

能开启wasm的debug日志看下吗
在网关执行curl -X POST http://localhost:15000/logging?wasm=debug 这个会包含调用外部认证的请求和响应信息

@jaggerwang
Copy link

另外这个插件不支持像限流插件那样指定对哪些路由生效吗,比如只对特定域名下的请求才生效。

@hanxiantao
Copy link
Collaborator Author

另外这个插件不支持像限流插件那样指定对哪些路由生效吗,比如只对特定域名下的请求才生效。

插件生效的逻辑是公共的,和限流插件是一致的,可以参考其他插件配置下

@jaggerwang
Copy link

不带 Authorization 头的请求日志:
image

带 Authorization 头的请求日志:
image

@jaggerwang
Copy link

另外这个插件不支持像限流插件那样指定对哪些路由生效吗,比如只对特定域名下的请求才生效。

插件生效的逻辑是公共的,和限流插件是一致的,可以参考其他插件配置下

image 那是要像限流插件一样,配置 matchRules.domain,并且把 http_service 的配置放到 mathRules.config 下?

@hanxiantao
Copy link
Collaborator Author

matchRules

是的,插件这块配置是统一的

@hanxiantao
Copy link
Collaborator Author

不带 Authorization 头的请求日志: image

带 Authorization 头的请求日志: image

尝试加下authorization_request的配置试下,感觉是这块少了一些非空判断
authorization_request:
allowed_headers:
- exact: x-user-id
- prefix: x-custom-
headers_to_add:
key1: value1
key2: value2
with_request_body: false

@jaggerwang
Copy link

改成了下面的配置:
image

但现在无论传不传 Authorization 头都响应 403 状态码:
image

@hanxiantao
Copy link
Collaborator Author

改成了下面的配置: image

但现在无论传不传 Authorization 头都响应 403 状态码: image

hi,经下线沟通,问题基本已找到,我会尽快修复下

@jaggerwang
Copy link

image

Ext-auth 插件在请求外部认证服务时报错“bad argument”,通过 curl http://localhost:15000/clusters 确认外部服务已被正确识别,并且如前所述,在 higress-gateway 里通过 curl 命令请求外部认证服务接口也是正常的。

@hanxiantao
Copy link
Collaborator Author

image

Ext-auth 插件在请求外部认证服务时报错“bad argument”,通过 curl http://localhost:15000/clusters 确认外部服务已被正确识别,并且如前所述,在 higress-gateway 里通过 curl 命令请求外部认证服务接口也是正常的。

hi,如线下沟通,是service_resource为k8s时,代码处理取namespace的逻辑有点问题,这块后面我们会统一下服务配置模式,如PR #1152 沟通,到时候会提供一个新的版本使用

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

higress support ext_authz wasmplugin
5 participants