api: HTTP APIKey Auth Filter#36709
Conversation
|
Hi @sanposhiho, welcome and thank you for your contribution. We will try to review your Pull Request as quickly as possible. In the meantime, please take a look at the contribution guidelines if you have not done so already. |
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
sanposhiho
force-pushed
the
api-key-auth
branch
from
ca1f281 to
b7fe36b
Compare
|
/assign |
|
Can we potentially just include this functionality in the basic auth filter? We could have config in that filter to use different header names, etc. It seems not needed to have a new filter for this? /wait |
Basically, they have different logic and configuration format. Or we need to extend the meaning of |
The logic is basically identical just swapping out different header names. Doesn't seem worth it to have a new filter just to have different header names. Is there anything else different? |
Both the configration parsing and verification is a little different, although we can abstract them by a virtual interface. 🤔 |
|
I agree there's some similarity though, wouldn't it be weird to implement the features proposed here into BasicAuth filter since the responsibility of the filter would no longer be "Basic Auth"? |
Yeah, If we insist on to merge them to one, then I think we need to document this very clear in the document of basic auth filter that the filter is not only be used for cc @mattklein123 WDYT |
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
sanposhiho
force-pushed
the
api-key-auth
branch
from
735a9e3 to
38d893b
Compare
|
While basic authentication and API key authentication share some similarities, their authentication logic is fundamentally different:
From a UI perspective, it would also be clearer to separate these two methods into different APIs, as they serve distinct purposes and follow different workflows. Some existing arts in this area:
|
| // The header name to forward an authenticated user. | ||
| // | ||
| // If it is not specified, the username will not be forwarded. | ||
| string forward_username_header = 2 |
There was a problem hiding this comment.
I suggest removing this at the first run. We can use a metadata to pass it(username or clientid) to later filters if it's required in the future.
|
OK fair enough we can do different filters. |
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
|
Will make it ready for review again when the implementation is ready. |
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
sanposhiho
force-pushed
the
api-key-auth
branch
from
243bebd to
1f5cfad
Compare
sanposhiho
changed the title
|
Updated the PR description + the title |
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
sanposhiho
force-pushed
the
api-key-auth
branch
from
f0d2169 to
cf09592
Compare
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
sanposhiho
force-pushed
the
api-key-auth
branch
from
1a10ca2 to
39d32d5
Compare
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
Signed-off-by: Kensei Nakada <handbomusic@gmail.com>
Signed-off-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>
Signed-off-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>
Signed-off-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>
repokitteh-read-only
Bot
added
the
deps
|
CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to |
Signed-off-by: wangbaiping(wbpcode) <wangbaiping@bytedance.com>
wbpcode
removed
the
deps
5 participants
This PR adds the API for HTTP APIKey Auth Filter that is proposed at #34877 and envoyproxy/gateway#2630.
Commit Message: api: HTTP APIKey Auth Filter
Risk Level: Low (only API)
Testing: WIP (will be done after we agree on the API)
Docs Changes: WIP
Release Notes: WIP
Platform Specific Features: No
Part of: #34877