Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for custom HTTP response codes from RBAC denials #34127

Open
jacobneiltaylor opened this issue May 14, 2024 · 0 comments · May be fixed by #34126
Open

Allow for custom HTTP response codes from RBAC denials #34127

jacobneiltaylor opened this issue May 14, 2024 · 0 comments · May be fixed by #34126
Labels
area/rbac enhancement Feature requests. Not bugs or questions.

Comments

@jacobneiltaylor
Copy link
Contributor

Title: Allow for custom HTTP response codes from RBAC denials

Description:
This feature would allow users to customise the response code return with an RBAC denial.

Current behaviour ensures that all RBAC denials return a "Forbidden" status code (403).
This default behaviour can and should be preserved. However, there are use cases where the ability to tune this rejection might be desirable.

Specifically for our use case, we want to use the RBAC filter to enforce allowlists for authenticated forward proxy clients. In the event clients are denied, we want to return a "Proxy Authentication Required" status code (407).

We thought it more appropriate to generalise this capability, as they may be other cases where it is desirable. For example, it may be more sematically (or pedantically 😄) correct to return an "Unauthorized" status code (401).

We have provided a PR to implement this feature; any and all feedback is welcome.

Relevant Links:
@jacobneiltaylor jacobneiltaylor added enhancement Feature requests. Not bugs or questions. triage Issue requires triage labels May 14, 2024
@jacobneiltaylor jacobneiltaylor linked a pull request May 14, 2024 that will close this issue
Open
@ravenblackx ravenblackx added area/rbac and removed triage Issue requires triage labels May 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/rbac enhancement Feature requests. Not bugs or questions.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

rbac: Add support for specifying a HTTP status code for RBAC denial responses jacobneiltaylor/envoy
2 participants
@ravenblackx @jacobneiltaylor