Envoy configuration advisory on RBAC filter

215 views
Skip to first unread message

Lizan Zhou

unread,
Feb 12, 2020, 6:05:19 PM2/12/20
to envoy-secur...@googlegroups.com, envoy-a...@googlegroups.com, envoy-security, Envoy-maintainers
Hello Envoy Community,

The Envoy security team would like to announce the configuration advisory on RBAC filter. 

BEGIN OF THE CONFIGURATION ADVISORY


Configuration Advisory on RBAC filter


The Role Based Access Control (RBAC) filter supports header matcher in its policy and one common use case is to enforce access control based on the path of the HTTP request by specifying the pseudo-header :path in the policy.


Please note that the pseudo-header :path doesn’t remove the fragment and query string from the original request. This means the RBAC filter will also see the fragment and query string in the header matcher.


The fragment and query string may cause unexpected mismatch, for example, a policy with header matcher :path for “/some-path” will not match the request with path “/some-path#fragment” and “/some-path?param=val”.


To avoid potential mismatch, it's recommended to configure the RBAC filter with the per-route configuration to correctly enforce access control in this case. The following is a sample per-route configuration with RBAC filter. The RBAC filter is configured for the route to path “/admin” to require only authenticated users are allowed to access it.

route_config:
  name: my_route
  virtual_hosts:
  - name: my_service
    domains: ["*"]
    routes:
    - match: { exact: "/admin" }
      route: { cluster: "my_service" }
      typed_per_filter_config:
       "envoy.filters.http.rbac":
          "@type": type.googleapis.com/envoy.config.filter.http.rbac.v2.RBACPerRoute
          rbac:
            rules:
              action: ALLOW
              policies:
               "admin-policy":
                  permissions:
                  - any: true
                  principals:
                  - authenticated:
                      principal_name: { exact: "admin" }
    - match: { prefix: "/" }
      route: { cluster: "my_service" }


The other option is to upgrade Envoy and use the new url_path field that supports matching only the URL path portion of the :path header. The url_path field will remove the fragment and query string before matching.


Last, if you are unable to follow the above recommendations, below is a temporary workaround to achieve the same effect by using the current header matcher.


Change your RBAC configuration from the left side to the right side to make it correctly handle the fragment and query string in the path.


For configuration using exact match:

Before

After

  header:
    name: ":path"
    exact_match: "/some-path"

  or_rules:
    rules:
    - header:
        name: ":path"
        exact_match: "/some-path"
    - header:
        name: ":path"
        prefix_match: "/some-path?"
    - header:
        name: ":path"
        prefix_match: "/some-path#"


For configuration using suffix match:

Before

After

  header:
    name: ":path"
    suffix_match: "suffix"

  header:
    name: ":path"
    safe_regex_match:
      regex: '^[^\?\#]*suffix([\?\#].*)?$'
      google_re2: {}



Please let us know by sending emails to envoy-s...@googlegroups.com if you have any questions.

Thank you.


END OF THE CONFIGURATION ADVISORY


Thank you to Yangmin Zhu for the coordination in making this configuration advisory.

Thanks,
Lizan Zhou (on behalf of the Envoy security team and maintainers)

Reply all
Reply to author
Forward
0 new messages