Introduction
PATH
Authorization & Rate Limiting
Table of Contents â
- Quickstart
- Overview
- Envoy Proxy
- Service ID Specification
- Specifying the Gateway Endpoint ID
- Gateway Endpoint Authorization
- External Auth Server
- Rate Limiter
Quickstartâ
Shannon Quickstartâ
-
Install all prerequisites:
-
Run
make init_envoy
to create all the required config files.allowed-services.lua
is created with the service IDs allowed by the PATH instance.- For more details, see the Allowed Services Map section.
.envoy.yaml
is created with your auth provider's domain and audience..ratelimit.yaml
is created with the rate limiting configuration for the PATH instance..gateway-endpoints.yaml
is created from the example file in the PADS Repository.- For more details, see the Gateway Endpoint YAML File section.
-
Run
make path_up
to start the services with all auth and rate limiting dependencies.
âšī¸ After copying config files by running make init_envoy
, please update local/path/envoy/.allowed-services.lua
with the service IDs allowed by your PATH instance
and local/path/envoy/.gateway-endpoints.yaml
with your own data.
Overviewâ
This folder contains everything necessary for managing authorization and rate limiting in the PATH service. Specifically, this is split into two logical parts:
- The
Envoy Proxy configuration
- The
External Auth Server
Componentsâ
A Tiltfile is provided to run all of these services locally.
- PATH Service: The service that handles requests after they have been authorized.
- Envoy Proxy: A proxy server that handles incoming requests, performs auth checks, and routes authorized requests to the
PATH
service. - External Auth Server: A Go/gRPC server that evaluates whether incoming requests are authorized to access the
PATH
service. - Rate Limiter: A service that coordinates all rate limiting.
- Redis: A key-value store used by the rate limiter to share state and coordinate rate limiting across any number of PATH instances behind the same Envoy Proxy.
- Remote gRPC Server: A server that provides the external authorization server with data on which endpoints are authorized to use the PATH service.
- PADS (PATH Auth Data Server) is provided as a functional implementation of the remote gRPC server that loads data from a YAML file or simple Postgres database.
- See PATH Auth Data Server for more information.
Architecture Diagramâ
Envoy Proxyâ
PATH uses Envoy Proxy to handle authorization and rate limiting.
The /envoy
directory houses the configuration files and settings for Envoy Proxy.
Envoy acts as a gateway, handling incoming requests, determining allowed services, performing auth checks, and routing authorized requests to the PATH service.
Envoy Configurationâ
Envoy HTTP Filtersâ
The PATH Auth Server uses the following Envoy HTTP filters to handle authorization:
- lua: Extracts the Service ID from the subdomain of the request's host field and attaches it to the request as the
target-service-id
header. - header_mutation: Ensures the request does not have the
jwt-user-id
header set before it is forwarded upstream.header_mutation
is used only if the PATH instance has JWT auth enabled.
- jwt_authn: Performs JWT verification and sets the
jwt-user-id
header.jwt_authn
is used only if the PATH instance has JWT auth enabled.
- ext_authz: Performs authorization checks using the PATH Auth Server external authorization server.
- ratelimit: Performs rate limiting checks using the Rate Limiter service.
Request Lifecycleâ
Service ID Specificationâ
The target-service-id
header is used to specify the Service ID in the request.
There are two methods for specifying this header in the request:
- Target Service ID Header (e.g. -H "target-service-id: anvil")
- URL Subdomain (e.g. http://anvil.localhost:3001/v1)
Allowed Services Fileâ
The file local/path/envoy/.allowed-services.lua
defines the mapping of service IDs to the service IDs used by the PATH service.
All service IDs (and optional service aliases) used by the PATH service must be defined in this file.
.allowed-services.lua
formatreturn {
-- 1. Shannon Service IDs
["anvil"] = "anvil", -- Anvil (Authoritative ID)
-- 2. Morse Service IDs
["F000"] = "F000", -- Pocket (Authoritative ID)
["pocket"] = "F000", -- Pocket (Alias)
}
Target Service ID Headerâ
The service ID (or a configured alias) may be specified in the target-service-id
header.
curl http://localhost:3001/v1 \
-X POST \
-H "Content-Type: application/json" \
-H "target-service-id: anvil" \
-H "endpoint-id: endpoint_3_no_auth" \
-d '{"jsonrpc": "2.0", "id": 1, "method": "eth_blockNumber" }'
URL Subdomainâ
The service ID (or a configured alias) may be specified in the URL subdomain.
eg. host = "anvil.path.grove.city" -> Header: "target-service-id: anvil"
curl http://anvil.localhost:3001/v1 \
-X POST \
-H "Content-Type: application/json" \
-H "endpoint-id: endpoint_3_no_auth" \
-d '{"jsonrpc": "2.0", "id": 1, "method": "eth_blockNumber" }'
Specifying the Gateway Endpoint IDâ
The Auth Server may extract the Gateway Endpoint ID from the request in one of two ways:
This is determined by the ENDPOINT_ID_EXTRACTOR
environment variable in the auth_server/.env
file. One of:
url_path
(default)header
Requests are rejected if either of the following are true:
- The
<GATEWAY_ENDPOINT_ID>
is missing - ID is not present in the
External Auth Server
'sGateway Endpoint Store
Regardless of which extractor is used, the Gateway Endpoint ID will always be set in the endpoint-id
header if the request is forwarded to the PATH Service.
URL Path Endpoint ID Extractorâ
When using the url_path
extractor, the Gateway Endpoint ID must be specified in the URL path.
https://<SERVICE_NAME>.<PATH_DOMAIN>/v1/<GATEWAY_ENDPOINT_ID>
For example, if the SERVICE_NAME
is eth
and the GATEWAY_ENDPOINT_ID
is a1b2c3d4
:
curl http://anvil.localhost:3001/v1/endpoint_3_no_auth \
-X POST \
-H "Content-Type: application/json" \
-d '{"jsonrpc": "2.0", "id": 1, "method": "eth_blockNumber" }'
Header Endpoint ID Extractorâ
When using the header
extractor, the Gateway Endpoint ID must be specified in the endpoint-id
header.
-H "endpoint-id: <GATEWAY_ENDPOINT_ID>"
For example, if the endpoint-id
header is set to a1b2c3d4
:
curl http://anvil.localhost:3001/v1 \
-X POST \
-H "Content-Type: application/json" \
-H "endpoint-id: endpoint_3_no_auth" \
-d '{"jsonrpc": "2.0", "id": 1, "method": "eth_blockNumber" }'
A variety of example cURL requests to the PATH service can be found in the test_requests.mk
file.
endpoint_3_no_auth
is the endpoint from the example .gateway-endpoints.yaml
file that requires no authorization.
See the Gateway Endpoint YAML File section for more information on the GatewayEndpoint
data structure.
Gateway Endpoint Authorizationâ
The External Auth Server
evaluates whether incoming requests are authorized to access the PATH service based on the AuthType
field of the GatewayEndpoint
proto struct.
Three authorization types are supported:
JSON Web Token (JWT) Authorizationâ
For GatewayEndpoints with the AuthType
field set to JWT_AUTH
, a valid JWT issued by the auth provider specified in the envoy.yaml
file is required to access the PATH service.
The make init_envoy
command will prompt you about whether you wish to use JWT authorization.
If you do wish to use it, you will be asked to enter your auth provider's domain and audience.
Auth0 is an example of a JWT issuer that can be used with PATH.
Their docs page on JWTs gives a good overview of the JWT format and how to issue JWTs to your users:
Example Request Header:
-H "Authorization: Bearer <JWT>"
The jwt_authn
filter will verify the JWT and, if valid, set the jwt-user-id
header from the sub
claim of the JWT. An invalid JWT will result in an error.
The External Auth Server
will use the jwt-user-id
header to make an authorization decision; if the GatewayEndpoint
's Auth.AuthorizedUsers
field contains the jwt-user-id
value, the request will be authorized.
Example auth provider user ID header:
jwt-user-id: auth0|a12b3c4d5e6f7g8h9
For more information, see the Envoy JWT Authn Docs
API Key Authorizationâ
For GatewayEndpoints with the AuthType
field set to API_KEY_AUTH
, a static API key is required to access the PATH service.
Example Request Header:
-H "Authorization: <API_KEY>"
The External Auth Server
will use the authorization
header to make an authorization decision; if the GatewayEndpoint
's Auth.ApiKey
field matches the API_KEY
value, the request will be authorized.
No Authorizationâ
For GatewayEndpoints with the AuthType
field set to NO_AUTH
, no authorization is required to access the PATH service.
All requests for GatewayEndpoints with the AuthType
field set to NO_AUTH
will be authorized by the External Auth Server
.