question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Filter and FilterPolicy not able to match requests

See original GitHub issue

Describe the bug Filter and FilterPolicy objects created to pass requests through an External authentication service in my cluster are unable to match requests regardless of host or path rules specified. The request simply goes through to the service without any authentication being performed.

To Reproduce A simple http echo app was deployed to a test namespace named ingestion-test, and instances of the authentication service was deployed to a separate authentication namespace. Ambassador Edge Stack was deployed to a separate ambassador namespace, with the mappings being created there as well. The authentication service has been proven to work through a dedicated mapping to it. The Filter, FilterPolicy, and Mapping objects are as follows:

apiVersion: getambassador.io/v2
kind: Filter
metadata:
  name: auth-service-filter
  namespace: ambassador
spec:
  External:
    allowed_request_headers:
    - customerId
    auth_service: http://authentication.authentication:8080
    failure_mode_allow: false
    path_prefix: /gateway
    status_on_error:
      code: 401
    timeout_ms: 2000
---
apiVersion: getambassador.io/v2
kind: FilterPolicy
metadata:
  name: ingestion-api-filter-policy
  namespace: ambassador
spec:
  rules:
  - filters:
    - name: auth-service-filter
      namespace: ambassador
    host: '*'
    path: /ingestion/v1/*
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: ingestion-echo
  namespace: ambassador
spec:
  host: ^.*(.qa|.dev|.prod)?.domain.com
  host_regex: true
  prefix: /ingestion/v1
  rewrite: /ingestion/v1/api
  service: http://echo.ingestion-test:80
  timeout_ms: 300000

Expected behavior The request to the app should return an Authorization header with a JWT bearer token as the value.

Versions:

  • Ambassador Edge Stack v1.5.3
  • GKE 1.16.9-gke.2

Additional context I’ve tried to create other Filter and FilterPolicy objects in my cluster, including one that utilizes OAuth2 via Google, and I see the same behaviour with the request going through without authentication. Additionally, I was able to get the expected behaviour but only when using the AuthService object, which was recommended not to be used with AES.

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:3
  • Comments:9 (4 by maintainers)

github_iconTop GitHub Comments

4reactions
CodechCFAcommented, Sep 18, 2020

The issue was that I had set the AES helm chart to not deploy the AuthService because the docs say not to use an AuthService in AES and to instead use filter/filterpolicy. I was unaware that AES installs its own AuthService, which filter/filterpolicy relies on. After turning that on everything is working.

2reactions
CodechCFAcommented, Aug 27, 2020

Having the same issue. Tried a lot of different permutations of configuration here. Ambassador is completely ignoring my filter/filterpolicy.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Filter and FilterPolicy not able to match requests #2831
Filter and FilterPolicy objects created to pass requests through an External authentication service in my cluster are unable to match requests ...
Read more >
Filter policy constraints - Amazon Simple Notification Service
When you create a filter policy, keep the following constraints in mind. Common policy constraints. For string matching, the comparison is case-sensitive. For ......
Read more >
Filters and authentication | Edge Stack
The FilterPolicy resource specifies a particular host or URL to match, along with a set of filters to run when an request matches...
Read more >
Example filter policies - Amazon Simple Notification Service
A policy that accepts the example message. The properties in the following subscription filter policy match the attributes assigned to the example message....
Read more >
Configuration and Operation of FTD Prefilter Policies - Cisco
With pre-filter policy, an FTD device can match traffic based on both ... Remember that the default Prefilter Policy cannot be edited as ......
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found