How does HTTP RBAC filter per route configuration work?

Tsimafei Bredau

unread,

May 7, 2020, 12:24:45 PM5/7/20

to envoy-users

Hello everyone,

I was experimenting with Envoy and stumbled upon a strange behavior. I used envoy as a front-proxy example from here https://github.com/envoyproxy/envoy/tree/master/examples/front-proxy so anyone can easily reproduce this. I checked this on master, v1.13.1 and v1.14.1.

Here's what I did:

I added a per-route RBAC policy for service1 route in front-envoy.yaml:

- match:
    prefix: "/service/1"
  route:
    cluster: service1
  typed_per_filter_config:
    "envoy.filters.http.rbac":
      "@type": type.googleapis.com/envoy.config.filter.http.rbac.v2.RBACPerRoute
      rbac:
        rules:
          action: DENY
          policies:
            "admin-policy":
              permissions:
              - any: true
              principals:
              - direct_remote_ip:
                  prefix_len: 0
                  address_prefix: "0.0.0.0"

Then I ran

docker-compose up --build -d
curl -v "http://127.0.0.1:8000/service/1"

I was expecting my request to be denied, but i successfully got "Hello from behind Envoy (service 1)! hostname: 0d43232b7ba3 resolvedhostname: 172.25.0.3" in response. After that i checked envoy config dump to make sure that filter's configuration is there. It was

"routes": [
     {
      "match": {
       "prefix": "/service/1"
      },
      "route": {
       "cluster": "service1"
      },
      "typed_per_filter_config": {
       "envoy.filters.http.rbac": {
        "@type": "type.googleapis.com/envoy.config.filter.http.rbac.v2.RBACPerRoute",
        "rbac": {
         "rules": {
          "action": "DENY",
          "policies": {
           "admin-policy": {
            "permissions": [
             {
              "any": true
             }
            ],
            "principals": [
             {
              "direct_remote_ip": {
               "address_prefix": "0.0.0.0",
               "prefix_len": 0
              }
             }
            ]
           }
          }
         }
        }
       }
      }
     }
I thought maybe direct_remote_ip can't be used as a principal for HTTP RBAC, so i tried to set "any": true for principals. But curl -v "http://127.0.0.1:8000/service/1"
still completes successful request.
What am i missing? Isn't filter suppose to deny the request?

Tsimafei Bredau

unread,

May 18, 2020, 11:45:39 AM5/18/20

to envoy-users

The cause of this behavior was the absence of RBAC filter in HTTP filter chain. After I added RBAC filter there per-route configuration started working.

четверг, 7 мая 2020 г., 19:24:45 UTC+3 пользователь Tsimafei Bredau написал:

Z L

unread,

Oct 12, 2021, 4:21:34 PM10/12/21

to envoy-users

Hi Bredau,

I am having the same issue. Can you share your RBAC filter in HTTP filter chain sample?