-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support API Key Auth #2630
Comments
blocked on upstream implementation in envoy |
@arkodg do you know the upstream implementation envoy tracking? |
I think this can be easily implemented by header or query matching right? |
cc @zhaohuabing |
@arkodg @zufardhiyaulhaq It should be a simple Envoy Filter. I can pick it up when I get some bandwidth. |
/assign |
API Key Auth is also often related to a set of APIs that is accessible with that Key. Often stored elsewhere to determine if the resource (API) being accessed is allowed to be accessed with this Key. What is the main purpose of this feature? To capture API key values for rate limiting only? Or to do AuthZ enforcement? And how would we differentiate dynamically if an API key is subscribed to a higher rate limit than another API key? |
@missBerg it is very essential feature for us stopping the adoption of envoy gateway. The primary idea is to use it as AuthZ. Regarding rate limits - we can support different scenarios. Probably starting from separate rate limit for each API key.
It should not be an issue. When the basic rate limiting would be implemented, complex scenarios could be considered (like common rate limit for API keys from one user). |
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing [email protected] where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) --> This PR adds the API for HTTP APIKey Auth Filter that is proposed at #34877 and envoyproxy/gateway#2630. Commit Message: api: HTTP APIKey Auth Filter Risk Level: Low (only API) Testing: WIP (will be done after we agree on the API) Docs Changes: WIP Release Notes: WIP Platform Specific Features: No Part of: #34877 --------- Signed-off-by: Kensei Nakada <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]> Co-authored-by: wangbaiping(wbpcode) <[email protected]>
<!-- !!!ATTENTION!!! If you are fixing *any* crash or *any* potential security issue, *do not* open a pull request in this repo. Please report the issue via emailing [email protected] where the issue will be triaged appropriately. Thank you in advance for helping to keep Envoy secure. !!!ATTENTION!!! For an explanation of how to fill out the fields, please see the relevant section in [PULL_REQUESTS.md](https://github.com/envoyproxy/envoy/blob/main/PULL_REQUESTS.md) --> This PR adds the API for HTTP APIKey Auth Filter that is proposed at envoyproxy/envoy#34877 and envoyproxy/gateway#2630. Commit Message: api: HTTP APIKey Auth Filter Risk Level: Low (only API) Testing: WIP (will be done after we agree on the API) Docs Changes: WIP Release Notes: WIP Platform Specific Features: No Part of: #34877 --------- Signed-off-by: Kensei Nakada <[email protected]> Signed-off-by: wangbaiping(wbpcode) <[email protected]> Co-authored-by: wangbaiping(wbpcode) <[email protected]> Mirrored from https://github.com/envoyproxy/envoy @ 72b75074a0ee089ad81f68ae011e31f14c2936fe
This issue has been automatically marked as stale because it has not had activity in the last 30 days. |
looks like the upstream feature is in, is this something we can get in for v1.3 @sanposhiho ? |
Yeah, how do we deal with the compatibility between gateway and envoy? Can we just introduce features in gateway with any latest features on envoy side immediately or do we have to wait for envoy to cut a new release? |
Okay, I found: So, we can just start this implementation now, do I understand right? |
yeah @sanposhiho, gateway |
you'll also need to |
+1 to this feature/issue. This is an important feature for me. My use case: I have OpenTelemetry data that I am ingesting from several sources (https://github.com/Sage-Bionetworks-Workflows/eks-stack/blob/ca523c66abc8d9b91e796c838f5d3c24784048cc/modules/signoz/main.tf#L252-L278 & https://github.com/Sage-Bionetworks-Workflows/eks-stack/blob/ca523c66abc8d9b91e796c838f5d3c24784048cc/modules/signoz/resources-otel-ingress/security-policy.yaml#L1-L13). I am currently enforcing that all incoming requests provide a JWT bearer token, however, I am limited with a monthly quota for the number of tokens that can be created per month via Auth0. If I can swap to using an API key instead then I will be able to on-board more projects without the concern of filling up my monthly quota. This is also combined by the fact that the AWS supported OTEL collectors (For ECS and Lambda functions) have not implemented https://github.com/open-telemetry/opentelemetry-collector-contrib/tree/main/extension/oauth2clientauthextension |
The problem is, unlike HTTP Basic Auth, API key auth is much more flexible, the key can be in the header, path, or even body. I think we will need a dedicated envoy filter in Envoy if we want to support API key auth, we can follow the open API specs: https://swagger.io/docs/specification/authentication/api-keys/#:~:text=API%20keys%20are%20supposed%20to,mechanisms%20such%20as%20HTTPS%2FSSL.
Originally posted by @zhaohuabing in #1660 (comment)
The text was updated successfully, but these errors were encountered: