[istio-policy] listchecker adapter custom response

scenusa · April 15, 2019, 4:30pm

Hello,

Does anyone know if it is possible to return custom responses when a request is denied by listchecker adapter?

I am trying to achieve a whitelisting functionality based on a header value. I’ve created a listentry, listchecker and a rule connecting those two, but on rejection I get this message:

HTTP Status code: 403 Forbidden

Body:
PERMISSION_DENIED:enforce-header.listchecker.myapp:123456789 is not whitelisted

I’d like to change the Body’s text.

Is it possible to achieve such thing using istio?

Thank you!

douglas-reid · April 15, 2019, 5:55pm

Given the current code, I don’t believe that there is a way to change the message. Parts of that message are hardcoded (https://github.com/istio/istio/blob/55a1771204c5d996c58db69434f188019a6aa01b/mixer/adapter/list/list.go#L118, https://github.com/istio/istio/blob/55a1771204c5d996c58db69434f188019a6aa01b/mixer/pkg/runtime/dispatcher/session.go#L386).

You could perhaps change the listchecker to take a configurable message. But, then you would also have to change the client code to pull out the message that you want to return (iirc, https://github.com/istio/proxy/blob/8455b9eb514c1a527fc4447951af00acd83104f5/src/istio/mixerclient/check_cache.cc#L193).

kuat · April 15, 2019, 6:00pm

Actually, it’s possible in 1.1. You need to supply an error_detail in gRPC status using this protobuf:

github.com

istio/api/blob/6b8d1849e7f44ef523b4442af69b57ddc960d38b/policy/v1beta1/http_response.proto#L23


// limitations under the License.


syntax = "proto3";


package istio.policy.v1beta1;


option go_package="istio.io/api/policy/v1beta1";


// Direct HTTP response for a client-facing error message which can be attached
// to an RPC error.
message DirectHttpResponse {
  // Optional HTTP status code. If not set, RPC error code is used.
  HttpStatusCode code = 1;


  // HTTP response body.
  string body = 2;


  // Optional HTTP response headers.
  map<string, string> headers = 3;
}

There is a simple example here:

github.com

istio/istio/blob/68c020666151cc3b9520e74c025eb14b9f48da36/mixer/test/keyval/adapter.go#L52


	if ok {
		return &HandleKeyvalResponse{
			Result: &v1beta1.CheckResult{ValidDuration: 5 * time.Second},
			Output: &OutputMsg{Value: value},
		}, nil
	}
	return &HandleKeyvalResponse{
		Result: &v1beta1.CheckResult{
			Status: rpc.Status{
				Code: int32(rpc.NOT_FOUND),
				Details: []*types.Any{status.PackErrorDetail(&policy.DirectHttpResponse{
					Body: fmt.Sprintf("<error_detail>key %q not found</error_detail>", key),
				})},
			},
		},
	}, nil
}

scenusa · April 17, 2019, 6:44am

Thank you for your answers.

@kuat that means I have to write my own custom mixder adapter, right?

kuat · April 17, 2019, 6:12pm

Hi!

Yes, that requires a change to listchecker adapter. We could consider accepting a change to the existing code, but that would require waiting for another release. Feel free to file a feature request!

–kuat

Topic		Replies	Views
Listchecker adapter not working with values of type ip_address Policies and Telemetry	3	1007	January 15, 2019
Istio Mixer Policy Policies and Telemetry	10	1096	April 9, 2019
Header Based Policy Rule x-real-ip	3	1325	April 17, 2019
As mixer is disabled how to config policy and telemetry	1	451	August 14, 2020
Custom Mixer Adapter does not work	1	419	November 21, 2019

[istio-policy] listchecker adapter custom response

Related topics