envoy: Envoy returns 403 for failed gRPC ext_authz requests
Title: Envoy returns 403 for failed gRPC ext_authz requests
Description: The gRPC implementation for ext_authz returns 403(forbidden), when the request to the gRPC server is failed on connection error. It can be an temporary error. However, 403 doesn’t recommend an automatic retry.
In order to have client retry, can we change it to 503?
Config:
http_filters:
- name: envoy.ext_authz
config:
failure_mode_allow: false
grpc_service:
envoy_grpc:
cluster_name: token-grpc
timeout: 10.0s
Call Stack: The FORBIDDEN is hard coded at: https://github.com/envoyproxy/envoy/blob/master/source/extensions/filters/common/ext_authz/ext_authz_grpc_impl.cc#L77
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Comments: 20 (9 by maintainers)
Commits related to this issue
- Description: Return 503 from ext_authz on network failures Risk Level: Low Testing: CI Docs Changes: n/a Release Notes: n/a https://github.com/envoyproxy/envoy/issues/6119 Signed-off-by: Hanyu Liu <... — committed to hanyu-liu/envoy by hanyu-liu 5 years ago
- Description: Return 503 from ext_authz on network failures Risk Level: Low Testing: CI Docs Changes: n/a Release Notes: n/a https://github.com/envoyproxy/envoy/issues/6119 Signed-off-by: Hanyu Liu <... — committed to hanyu-liu/envoy by hanyu-liu 5 years ago
I have this done, just need to write a test to it.
This is the default response code and it will get returned to the client unless the different code is configured on the filter level.