Rbac: Disambiguate between rbac 403 and application 403 #12873
Comments
|
+1 for adding response flags and reasons if they are not already set. cc @alyssawilk |
|
FWIW it is accessible via response code details (https://www.envoyproxy.io/docs/envoy/latest/faq/debugging/why_is_envoy_sending_internal_responses) but adding a flag is fine as well. |
This should be straightforward to add, I can add the flag. Not very clear what do you mean for reasons here, like @alyssawilk mentioned, currently it is in the response_code_details, and the HTTP response body will also have
For HTTP, the response body is
A recent PR merged to print the effective policy name in debug logging. Not sure where else you want to see it? One idea I thought before is to add it to the HTTP response body but that may need some thinking (or flag/API to control it) as user may don't always want to expose it. |
|
@yangminzhu response body is not logged and it is not part of any telemetry, So response_flag should indicate denial For response reason, I think we can use what @alyssawilk suggested. Do you think it is the appropriate place to put rule_id (if using deny rule) that caused the denial? |
oh, ok, I thought you're referring to the end user experience.
I think it makes sense to set the response code detail to the policy_id. See #12912 |
…#12912) Commit Message: This patch adds the matched policy name in the response code detail for request denied by the RBAC filter. Risk Level: Low Testing: Added e2e tests and also tested manually Docs Changes: Updated Release Notes: Updated Fixes #12873. Signed-off-by: Yangmin Zhu ymzhu@google.com
When Rbac filter denies a request, it does not set a reponse flag.
From access logs, it is not possible to disambiguate a 403 emitted by the filter vs 403 emitted by the application.
a. denied by policy
b. Potentially indicate that the response was generated within the proxy. This can be more generic than just rbac.
@yangminzhu @kyessenov
The text was updated successfully, but these errors were encountered: