Routing based on ext_authz

[Benjamin Westphal]

Hello,

 

I have an ext_authz service in the filter chain. If it returns 200, everything’s ok. The user accesses the service safe-guarded by that ext_authz service.

 

My question is: How do I route the user to another service if ext_authz  returns 403?

 

Kind regards,

 

Benjamin

[Yan Avlasov]

If you control authorization service you can make it return 302 and Location header in the DeniedHttpResponse.

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/10c44b80d840414a8fe6b9ab85fa788a%40SRV59WIN.macmon.local.

[Benjamin Westphal]

Unfortunately, I cannot do that… I need to forward the request to another cluster depending on the ext_authz result without changing the client’s location.

 

Is it possible to route traffic to a different cluster depending on a header or dynamic metadata value set by another filter?

 

It appears to me, you cannot match on headers or dynamic metadata values in the virtual host’s routes config.

[Yan Avlasov]

I understand. The issue here is that ext_authz will terminate further processing of the request if authorization service had denied it, making it impossible to re-route the request. You can try to remap local reply that ext_authz filter is using and turn it into redirect using https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply

If this is not going to work for you either, you can file an issue on GitHub with an improvement request to re-evaluate request route for denied requests as well.