Ext Authz Service¶

The Ext Authz Service is a sample implementation of an external authorization server designed to integrate with the Envoy ext_authz filter.^[README.md] It serves as an example of how to hook up a custom authorization system into an Istio Service mesh.^[README.md]

Communication Protocols¶

The service supports authorization check requests via two distinct protocols: * HTTP: Operates on port 8000.^[README.md] * gRPC: Supports v2 and v3 APIs on port 9000.^[README.md]

Authorization Logic¶

By default, the service permits requests based on two conditions^[README.md]: 1. Header Check: The request includes the header x-ext-authz: allow. 2. Service Account: The source workload uses the service account a.

For testing purposes, the allowed service account defaults to a, but this can be reconfigured using the -allow_service_account flag when launching the server.^[README.md]

Testing and Verification¶

The service includes features specifically designed to aid in testing and debugging the integration with the Envoy filter^[README.md].

Request Inspection¶

To verify that the ext-authz filter is forwarding the expected data, the server adds the header x-ext-authz-check-received to the user request^[README.md]. This header contains a dump of the check request received by the server^[README.md].

Header Override Behavior¶

To test how the filter handles response headers, the server adds or overrides the header x-ext-authz-additional-header-override in the user request^[README.md]. The value set depends on the server type: * HTTP Server: Mirrors the value of the x-ext-authz-additional-header-override header received in the check request^[README.md]. * gRPC Server: Sets the value to a constant string: grpc-additional-header-override-value^[README.md].

Related Concepts¶

• Istio
• [[Envoy Proxy]]

Sources¶

^[README.md]