[istio-policy] listchecker adapter custom response

Hello,

Does anyone know if it is possible to return custom responses when a request is denied by listchecker adapter?

I am trying to achieve a whitelisting functionality based on a header value. I’ve created a listentry, listchecker and a rule connecting those two, but on rejection I get this message:

HTTP Status code: 403 Forbidden

Body:
PERMISSION_DENIED:enforce-header.listchecker.myapp:123456789 is not whitelisted

I’d like to change the Body’s text.

Is it possible to achieve such thing using istio?

Thank you!

Given the current code, I don’t believe that there is a way to change the message. Parts of that message are hardcoded (https://github.com/istio/istio/blob/55a1771204c5d996c58db69434f188019a6aa01b/mixer/adapter/list/list.go#L118, https://github.com/istio/istio/blob/55a1771204c5d996c58db69434f188019a6aa01b/mixer/pkg/runtime/dispatcher/session.go#L386).

You could perhaps change the listchecker to take a configurable message. But, then you would also have to change the client code to pull out the message that you want to return (iirc, https://github.com/istio/proxy/blob/8455b9eb514c1a527fc4447951af00acd83104f5/src/istio/mixerclient/check_cache.cc#L193).

Actually, it’s possible in 1.1. You need to supply an error_detail in gRPC status using this protobuf:

There is a simple example here:

Thank you for your answers.

@kuat that means I have to write my own custom mixder adapter, right?

Hi!

Yes, that requires a change to listchecker adapter. We could consider accepting a change to the existing code, but that would require waiting for another release. Feel free to file a feature request!

–kuat