You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@apisix.apache.org by mo...@apache.org on 2023/04/27 06:34:22 UTC
[apisix] branch master updated: feat: allow degradation (#9345)
This is an automated email from the ASF dual-hosted git repository.
monkeydluffy pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/apisix.git
The following commit(s) were added to refs/heads/master by this push:
new 9135556e0 feat: allow degradation (#9345)
9135556e0 is described below
commit 9135556e0fe1d6cbe80d5db156dee9bddf019f89
Author: Abhishek Choudhary <sh...@gmail.com>
AuthorDate: Thu Apr 27 12:04:10 2023 +0530
feat: allow degradation (#9345)
---
apisix/plugins/forward-auth.lua | 7 ++--
docs/en/latest/plugins/forward-auth.md | 4 +-
docs/zh/latest/plugins/forward-auth.md | 1 +
t/plugin/forward-auth.t | 71 +++++++++++++++++++++++++++++++++-
4 files changed, 78 insertions(+), 5 deletions(-)
diff --git a/apisix/plugins/forward-auth.lua b/apisix/plugins/forward-auth.lua
index 3bc8a0e50..39e690038 100644
--- a/apisix/plugins/forward-auth.lua
+++ b/apisix/plugins/forward-auth.lua
@@ -23,6 +23,7 @@ local schema = {
type = "object",
properties = {
uri = {type = "string"},
+ allow_degradation = {type = "boolean", default = false},
ssl_verify = {
type = "boolean",
default = true,
@@ -118,9 +119,9 @@ function _M.access(conf, ctx)
httpc:set_timeout(conf.timeout)
local res, err = httpc:request_uri(conf.uri, params)
-
- -- block by default when authorization service is unavailable
- if not res then
+ if not res and conf.allow_degradation then
+ return
+ elseif not res then
core.log.error("failed to process forward auth, err: ", err)
return 403
end
diff --git a/docs/en/latest/plugins/forward-auth.md b/docs/en/latest/plugins/forward-auth.md
index 0e88ab8bf..e70989a4e 100644
--- a/docs/en/latest/plugins/forward-auth.md
+++ b/docs/en/latest/plugins/forward-auth.md
@@ -47,7 +47,9 @@ This Plugin moves the authentication and authorization logic to a dedicated exte
| timeout | integer | False | 3000ms | [1, 60000]ms | Timeout for the authorization service HTTP call. |
| keepalive | boolean | False | true | | When set to `true`, keeps the connection alive for multiple requests. |
| keepalive_timeout | integer | False | 60000ms | [1000, ...]ms | Idle time after which the connection is closed. |
-| keepalive_pool | integer | False | 5 | [1, ...]ms | Connection pool limit. |
+| keepalive_pool | integer | False | 5 | [1, ...]ms | Connection pool limit. |
+| allow_degradation | boolean | False | false | | When set to `true`, allows authentication to be skipped when authentication server is unavailable. |
+
## Data definition
diff --git a/docs/zh/latest/plugins/forward-auth.md b/docs/zh/latest/plugins/forward-auth.md
index 092215b93..80fc7e3c4 100644
--- a/docs/zh/latest/plugins/forward-auth.md
+++ b/docs/zh/latest/plugins/forward-auth.md
@@ -47,6 +47,7 @@ description: 本文介绍了关于 Apache APISIX `forward-auth` 插件的基本
| keepalive | boolean | 否 | true | [true, false] | HTTP 长连接。 |
| keepalive_timeout | integer | 否 | 60000ms | [1000, ...]ms | 长连接超时时间。 |
| keepalive_pool | integer | 否 | 5 | [1, ...]ms | 长连接池大小。 |
+| allow_degradation | boolean | 否 | false | | 当设置为 `true` 时,允许在身份验证服务器不可用时跳过身份验证。 |
## 数据定义
diff --git a/t/plugin/forward-auth.t b/t/plugin/forward-auth.t
index 8f0445b50..88635177d 100644
--- a/t/plugin/forward-auth.t
+++ b/t/plugin/forward-auth.t
@@ -206,6 +206,55 @@ property "request_method" validation failed: matches none of the enum values
"uri": "/ping"
}]],
},
+ {
+ url = "/apisix/admin/routes/4",
+ data = [[{
+ "plugins": {
+ "serverless-pre-function": {
+ "phase": "rewrite",
+ "functions" : ["return function() require(\"apisix.core\").response.exit(444); end"]
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/crashed-auth"
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/5",
+ data = [[{
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.0.0.1:1984/crashed-auth",
+ "request_headers": ["Authorization"],
+ "upstream_headers": ["X-User-ID"],
+ "client_headers": ["Location"]
+ }
+ },
+ "upstream_id": "u1",
+ "uri": "/nodegr"
+ }]],
+ },
+ {
+ url = "/apisix/admin/routes/6",
+ data = [[{
+ "uri": "/get",
+ "plugins": {
+ "forward-auth": {
+ "uri": "http://127.0.0.1:1984/crashed-auth",
+ "request_headers": ["Authorization"],
+ "upstream_headers": ["X-User-ID"],
+ "client_headers": ["Location"],
+ "allow_degradation": true
+ }
+ },
+ "upstream": {
+ "nodes": {
+ "httpbin.org:80": 1
+ },
+ "type": "roundrobin"
+ }
+ }]],
+ }
}
local t = require("lib.test_admin").test
@@ -217,7 +266,7 @@ property "request_method" validation failed: matches none of the enum values
}
}
--- response_body eval
-"201passed\n" x 6
+"201passed\n" x 9
@@ -305,3 +354,23 @@ POST /ping
--- error_code: 403
--- response_headers
Location: http://example.com/auth
+
+
+
+=== TEST 11: hit route (unavailable auth server, expect failure)
+--- request
+GET /nodegr
+--- more_headers
+Authorization: 111
+--- error_code: 403
+--- error_log
+failed to process forward auth, err: closed
+
+
+
+=== TEST 12: hit route (unavailable auth server, allow degradation)
+--- request
+GET /get
+--- more_headers
+Authorization: 111
+--- error_code: 200