gRPC and HTTP dual-protocol authorization¶

gRPC and HTTP dual-protocol authorization refers to the capability of an external authorization service (Ext Authz) to handle and validate authorization checks via both HTTP and gRPC protocols simultaneously^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md#L5-L6].

Protocol Support¶

The Ext Authz server is designed to support authorization check requests using either the HTTP API (typically on port 8000) or the gRPC v2/v3 API (typically on port 9000)^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md#L5-L6]. This allows integration with the Envoy ext_authz filter regardless of the client protocol.

Authorization Logic¶

The service determines whether to allow a request based on specific conditions^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md#L6-L8]: * Header-based: Requests are permitted if they include the header x-ext-authz: allow. * Service Account-based: Requests are permitted if the service account of the source workload matches a specific value (e.g., a).

In testing environments, the allowed service account value can be configured dynamically using the -allow_service_account flag when launching the server^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md#L8-L9].

[[Envoy]]
[[gRPC]]
[[HTTP]]
[[Authentication vs Authorization]]

Sources¶

^[400-devops__07-Monitoring-and-Observability__k8s-istio__samples__extauthz__README.md]

gRPC and HTTP dual-protocol authorization¶

Protocol Support¶

Authorization Logic¶

Related Concepts¶

Sources¶