You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: website/public/extensions.json
+6-1Lines changed: 6 additions & 1 deletion
Original file line number
Diff line number
Diff line change
@@ -168,7 +168,7 @@
168
168
"author": "Tetrate",
169
169
"featured": true,
170
170
"description": "Inline Cedar policy evaluation for HTTP request authorization",
171
-
"longDescription": "This extension implements [Cedar](https://www.cedarpolicy.com/) policy evaluation\nas an inline Envoy HTTP filter. It uses the [Cedar-Go](https://github.com/cedar-policy/cedar-go)\nlibrary to make authorization decisions on each request without a separate authorization server.\n\n## Key Features\n\n- **Inline Cedar evaluation**: Load and evaluate Cedar policy files directly in the Envoy\n data path using the Cedar-Go library. No separate authorization server required.\n- **Structured authorization model**: Maps HTTP requests to Cedar's Principal/Action/Resource\n model with rich context for fine-grained `when` clause conditions.\n- **Entity hierarchies**: Optionally load Cedar entity data to enable group membership and\n hierarchical authorization checks (e.g., `principal in Group::\"admins\"`).\n- **Dry-run mode**: Log authorization decisions without enforcing them, useful for testing\n policies in production.\n- **Fail-open mode**: Allow requests through when policy evaluation encounters an error,\n instead of returning a 500 response.\n- **mTLS and SPIFFE identity**: Access client certificate attributes including SPIFFE IDs\n (URI SANs), DNS SANs, and certificate subject in policy context.\n- **Configurable deny responses**: Customize the HTTP status code, body, and headers\n returned when a request is denied.\n\n## Authorization Model\n\nHTTP requests are mapped to Cedar authorization concepts:\n\n- **Principal**: Derived from a configurable request header (e.g., `User::\"alice\"` from\n the `x-user-id` header). The entity type is set via `principal_type` and the ID is\n extracted from the header specified by `principal_id_header`.\n- **Action**: Derived from the HTTP method (e.g., `Action::\"GET\"`, `Action::\"POST\"`).\n The entity type defaults to `Action` and can be customized via `action_type`.\n- **Resource**: Derived from the request path without query string (e.g.,\n `Resource::\"/api/users\"`). The entity type defaults to `Resource` and can be\n customized via `resource_type`.\n- **Context**: Rich request attributes available in Cedar `when` clauses.\n\n## Context Record Structure\n\nThe `context` record passed to Cedar policies contains the following structure:\n\n```json\n{\n \"request\": {\n \"method\": \"GET\",\n \"path\": \"/api/v1/resource?key=value\",\n \"host\": \"example.com\",\n \"scheme\": \"https\",\n \"protocol\": \"HTTP/1.1\",\n \"headers\": {\n \"authorization\": \"Bearer ...\",\n \"content-type\": \"application/json\"\n }\n },\n \"source\": {\n \"address\": \"10.0.0.1:5000\",\n \"certificate\": {\n \"uri_san\": \"spiffe://cluster.local/ns/default/sa/client\",\n \"dns_san\": \"client.default.svc.cluster.local\",\n \"subject\": \"CN=client,O=example\",\n \"sha256_digest\": \"abc123...\"\n }\n },\n \"destination\": {\n \"address\": \"10.0.0.2:443\"\n },\n \"connection\": {\n \"mtls\": true,\n \"tls_version\": \"TLSv1.3\"\n },\n \"parsed_path\": [\"api\", \"v1\", \"resource\"],\n \"parsed_query\": {\"key\": [\"value\"]}\n}\n```\n\n## Metrics\n\nThe extension exposes the `cedar_requests_total` counter metric with a `decision` tag that\ntracks authorization outcomes. The possible tag values are:\n\n| Decision | Description |\n|--------|------|\n| `allowed` | The policy allowed the request. |\n| `denied` | The policy denied the request (or an error occurred with fail-open disabled). |\n| `failopen` | An error occurred during policy evaluation and the request was allowed because fail-open mode is enabled. |\n| `dryrun_allow` | The policy denied the request but it was allowed because dry-run mode is enabled. |\n",
171
+
"longDescription": "This extension implements [Cedar](https://www.cedarpolicy.com/) policy evaluation\nas an inline Envoy HTTP filter. It uses the [Cedar-Go](https://github.com/cedar-policy/cedar-go)\nlibrary to make authorization decisions on each request without a separate authorization server.\n\n## Key Features\n\n- **Inline Cedar evaluation**: Load and evaluate Cedar policy files directly in the Envoy\n data path using the Cedar-Go library. No separate authorization server required.\n- **Structured authorization model**: Maps HTTP requests to Cedar's Principal/Action/Resource\n model with rich context for fine-grained `when` clause conditions.\n- **Entity hierarchies**: Optionally load Cedar entity data to enable group membership and\n hierarchical authorization checks (e.g., `principal in Group::\"admins\"`).\n- **Dry-run mode**: Log authorization decisions without enforcing them, useful for testing\n policies in production.\n- **Fail-open mode**: Allow requests through when policy evaluation encounters an error,\n instead of returning a 500 response.\n- **mTLS and SPIFFE identity**: Access client certificate attributes including SPIFFE IDs\n (URI SANs), DNS SANs, and certificate subject in policy context.\n- **Configurable deny responses**: Customize the HTTP status code, body, and headers\n returned when a request is denied.\n\n## Authorization Model\n\nHTTP requests are mapped to Cedar authorization concepts:\n\n- **Principal**: Derived from a configurable request header (e.g., `User::\"alice\"` from\n the `x-user-id` header). The entity type is set via `principal_type` and the ID is\n extracted from the header specified by `principal_id_header`.\n- **Action**: Derived from the HTTP method (e.g., `Action::\"GET\"`, `Action::\"POST\"`).\n The entity type defaults to `Action` and can be customized via `action_type`.\n- **Resource**: Derived from the request path without query string (e.g.,\n `Resource::\"/api/users\"`). The entity type defaults to `Resource` and can be\n customized via `resource_type`.\n- **Context**: Rich request attributes available in Cedar `when` clauses.\n\n## Context Record Structure\n\nThe `context` record passed to Cedar policies contains the following structure:\n\n```json\n{\n \"request\": {\n \"method\": \"GET\",\n \"path\": \"/api/v1/resource?key=value\",\n \"host\": \"example.com\",\n \"scheme\": \"https\",\n \"protocol\": \"HTTP/1.1\",\n \"headers\": {\n \"authorization\": \"Bearer ...\",\n \"content-type\": \"application/json\"\n }\n },\n \"source\": {\n \"address\": \"10.0.0.1:5000\",\n \"certificate\": {\n \"uri_san\": \"spiffe://cluster.local/ns/default/sa/client\",\n \"dns_san\": \"client.default.svc.cluster.local\",\n \"subject\": \"CN=client,O=example\",\n \"sha256_digest\": \"abc123...\"\n }\n },\n \"destination\": {\n \"address\": \"10.0.0.2:443\"\n },\n \"connection\": {\n \"mtls\": true,\n \"tls_version\": \"TLSv1.3\"\n },\n \"dynamic_metadata\": {\n \"envoy.filters.http.jwt_authn\": {\n \"sub\": \"user-123\",\n \"iss\": \"https://issuer.example.com\"\n }\n },\n \"parsed_path\": [\"api\", \"v1\", \"resource\"],\n \"parsed_query\": {\"key\": [\"value\"]}\n}\n```\n\n## Metrics\n\nThe extension exposes the `cedar_requests_total` counter metric with a `decision` tag that\ntracks authorization outcomes. The possible tag values are:\n\n| Decision | Description |\n|--------|------|\n| `allowed` | The policy allowed the request. |\n| `denied` | The policy denied the request (or an error occurred with fail-open disabled). |\n| `failopen` | An error occurred during policy evaluation and the request was allowed because fail-open mode is enabled. |\n| `dryrun_allow` | The policy denied the request but it was allowed because dry-run mode is enabled. |\n",
172
172
"type": "go",
173
173
"tags": [
174
174
"go",
@@ -222,6 +222,11 @@
222
222
"title": "Fail-Open Mode",
223
223
"description": "Enable fail-open mode to allow requests through when policy evaluation\nencounters an error, instead of returning a 500 response. Useful for\nnon-critical authorization checks where availability is prioritized\nover enforcement.\n",
"title": "Include Envoy dynamic metadata in Cedar context",
228
+
"description": "Include Envoy dynamic metadata in the Cedar context record under `context.dynamic_metadata`.\nThis allows writing policies that make decisions based on dynamic metadata from other Envoy\nfilters, such as JWT authentication claims.\n",
0 commit comments