Disabling grpc authorize check for unauthenticated URLs

Support
1

What happened?

Envoy calls the grpc_authorize_check event for unauthorized URLs as well, which keeps pomerium busy

What did you expect to happen?

I want to disable grpc authorize check from envoy to pomerium for unauthenticated host URLs.

How’d it happen?

  1. Configured src and to URLs, with allow_unauthenticated_public_access=true
  2. Run pomerium and hit the URL
  3. Saw the grpc authorize check being called.

What’s your environment like?

  • Pomerium version v-17
  • Linux, VM

What’s your config.yaml?

autocert: false
autocert_use_staging: true
autocert_dir: /apps/keystore/registered/keys/ap/autocert
log_level: debug
address: "172.16.240.135:443"
http_redirect_addr: "172.16.240.135:80"
cookie_secret: SWBDUkxfTEhWQVZWV2BfTERaQU5QXlNFS1hYR1pOWEs=
shared_secret: XUhTUllUSUVfUF5NUENMT1BHRkVCXFNRSlVKX0hTWWA=
certificates:
- cert: /apps/nexus/rules/ap/default-ap-domain.cert
  key: /apps/nexus/rules/ap/default-ap-domain.key
routes:
- from: https://gotest.localhost.com
  allow_public_unauthenticated_access: true
  to:
  - http://172.16.233.1:8080
- from: https://newtest.localhost.com
  allow_public_unauthenticated_access: true
  to:
  - http://172.16.233.1:8080

What did you see in the logs?

{"level":"info","service":"authorize","request-id":"","check-request-id":"0314588d-00d9-4a76-a9f3-9ac038e5cae4","method":"GET","path":"/","host":"gotest.localhost.com","query":"","ip":"172.16.240.1","allow":true,"allow-why-true":["accept"],"deny":false,"deny-why-false":["valid-client-certificate-or-none-required"],"user":"","email":"","headers":{":authority":"gotest.localhost.com",":method":"GET",":path":"/",":scheme":"https","Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8","Accept-Encoding":"gzip, deflate, br","Accept-Language":"en-US,en;q=0.5","Cache-Control":"max-age=0","Sec-Fetch-Dest":"document","Sec-Fetch-Mode":"navigate","Sec-Fetch-Site":"none","Sec-Fetch-User":"?1","Upgrade-Insecure-Requests":"1","User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0","X-Envoy-Internal":"true","X-Forwarded-For":"172.16.240.1","X-Forwarded-Proto":"https","X-Request-Id":"0314588d-00d9-4a76-a9f3-9ac038e5cae4"},"time":"2023-01-10T04:11:20Z","message":"authorize check"}

Additional context

Is this required, is there a way to disable this for unauthenticated routes?

2

yes this is required for audit purposes. allow_public_unauthenticated_access: true is just another policy that gets evaluated, with authorization results published to the log. the overhead for this policy evaluation is negligible, especially if you run Pomerium in the all in one mode.