Filter Type: External
The External filter calls out to an external service speaking the ext_authz protocol, providing a highly flexible interface to plug in your own authentication, authorization, and filtering logic.
---apiVersion: getambassador.io/v2kind: Filtermetadata:name: "example-external-filter"namespace: "example-namespace"spec:External:auth_service: "url-ish-string" # requiredtls: bool # optional; default is true if `auth_service` starts with "https://" (case-insensitive), false otherwiseproto: "enum-string" # optional; default is "http"timeout_ms: integer # optional; default is 5000allow_request_body: bool # deprecated; use include_body insteadinclude_body: # optional; default is nullmax_bytes: integer # requiredallow_partial: bool # requiredstatus_on_error: # optionalcode: integer # optional; default is 403failure_mode_allow: bool # optional; default is false# the following are used only if `proto: http`; they are ignored if `proto: grpc`path_prefix: "/path" # optional; default is ""allowed_request_headers: # optional; default is []- "x-allowed-input-header"allowed_authorization_headers: # optional; default is []- "x-input-headers"- "x-allowed-output-header"add_linkerd_headers: bool # optional; default is false
auth_service(required) is of the format[scheme://]host[:port], and identifies the external auth service to talk to. The scheme-part may behttp://orhttps://, which influences the default value oftls, and of the port-part. If no scheme-part is given, it behaves as ifhttp://was given.tls(optional) is whether to use TLS or cleartext when speaking to the external auth service. The default is based on the scheme-part of theauth_service.proto(optional) specifies which variant of theext_authzprotocol to use when communicating with the external auth service. Valid options arehttp(default) orgrpc.timeout_ms(optional) is the total maximum duration in milliseconds for the request to the external auth service, before triggeringstatus_on_errororfailure_mode_allow.allow_request_body(optional, deprecated) controls whether to buffer the request body in order to pass to the external auth service. Settingallow_request_body: trueis exactly equivalent toinclude_body: { max_bytes: 4096, allow_partial: true }, andallow_request_body: falseis exactly equivalent toinclude_body: null. It is invalid to set bothallow_request_bodyandinclude_body.include_body(optional) controls how much to buffer the request body to pass to the external auth service, for use cases such as computing an HMAC or request signature. Ifinclude_bodyisnullor unset, then the request body is not buffered at all, and an empty body is passed to the external auth service. Ifinclude_bodyis notnull, both of its sub-fields are required:max_bytes(required) controls the amount of body data that will be passed to the external auth serviceallow_partial(required) controls what happens to requests with bodies larger thanmax_bytes:- if
allow_partialistrue, the firstmax_bytesof the body are sent to the external auth service. - if
false, the message is rejected with HTTP 413 ("Payload Too Large").
- if
Unfortunately, in order for
include_bodyto function properly, theAuthServiceinaes.yamlmust be edited to haveinclude_bodyset withmax_bytesgreater than the largestmax_bytesused by anyExternalfilter (so if anExternalfilter hasmax_bytes: 4096, then theAuthServicewill needmax_bytes: 4097), andallow_partial: true.status_on_error(optional) controls the status code returned when unable to communicate with external auth service. This is ignored iffailure_mode_allow: true.code(optional) defaults to 403.
failure_mode_allow(optional) being set totruecauses the request to be allowed through to the upstream backend service if there is an error communicating with the external auth service, instead of returningstatus_on_error.codeto the client. Defaults to false.
The following fields are only used if proto: http; they are ignored if proto: grpc:
path_prefix(optional) prepends a string to the path of the original request when sending it to the external auth service. By default this is empty, and the path is not changed. For example, if the client makes a request to/path, and the external auth service is configured withpath_prefix: /auth, then the path in the request made to the external auth service will be/auth/path.allowed_request_headers(optional) lists the headers that will be sent copied from the incoming request to the request made to the external auth service (case-insensitive). In addition to the headers listed in this field, the following headers are always included:AuthorizationCookieFromProxy-AuthorizationUser-AgentX-Forwarded-ForX-Forwarded-HostX-Forwarded-Proto
allowed_authorization_headers(optional) lists the headers that will be copied from the response from the external auth service to the request sent to the upstream backend service (if the external auth service indicates that the request to the upstream backend service should be allowed). In addition to the headers listed in this field, the following headers are always included:AuthorizationLocationProxy-AuthenticateSet-cookieWWW-Authenticate
add_linkerd_headers(optional) when true, in the request to the external auth service, adds anl5d-dst-overrideHTTP header that is set to the hostname and port number of the external auth service. Defaults tofalse.
This .spec.External is mostly identical to an AuthService .spec, with the following exceptions:
- In an
AuthService, thetlsfield may either be a Boolean, or a string referring to aTLSContext. In anExternalfilter, it may only be a Boolean; referring to a TLS context is not supported. - In an
AuthService, theadd_linkerd_headersfield defaults based on theambassador Module. In anExternalfilter, it defaults tofalse. This may change in a future release.
Questions?
We’re here to help. If you have questions, join our Slack or contact us.