Routing based on ext_authz

36 views
Skip to first unread message

Benjamin Westphal

unread,
Feb 18, 2022, 12:51:03 PM2/18/22
to envoy...@googlegroups.com

Hello,

 

I have an ext_authz service in the filter chain. If it returns 200, everything’s ok. The user accesses the service safe-guarded by that ext_authz service.

 

My question is: How do I route the user to another service if ext_authz  returns 403?

 

Kind regards,

 

Benjamin

Yan Avlasov

unread,
Feb 18, 2022, 2:26:34 PM2/18/22
to Benjamin Westphal, envoy...@googlegroups.com
If you control authorization service you can make it return 302 and Location header in the DeniedHttpResponse.

--
You received this message because you are subscribed to the Google Groups "envoy-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to envoy-users...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/envoy-users/10c44b80d840414a8fe6b9ab85fa788a%40SRV59WIN.macmon.local.

Benjamin Westphal

unread,
Feb 19, 2022, 5:13:12 PM2/19/22
to Yan Avlasov, envoy...@googlegroups.com

Unfortunately, I cannot do that… I need to forward the request to another cluster depending on the ext_authz result without changing the client’s location.

 

Is it possible to route traffic to a different cluster depending on a header or dynamic metadata value set by another filter?

 

It appears to me, you cannot match on headers or dynamic metadata values in the virtual host’s routes config.

Yan Avlasov

unread,
Feb 19, 2022, 9:19:54 PM2/19/22
to Benjamin Westphal, envoy...@googlegroups.com
I understand. The issue here is that ext_authz will terminate further processing of the request if authorization service had denied it, making it impossible to re-route the request. You can try to remap local reply that ext_authz filter is using and turn it into redirect using https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/local_reply

If this is not going to work for you either, you can file an issue on GitHub with an improvement request to re-evaluate request route for denied requests as well.
Reply all
Reply to author
Forward
0 new messages