search

6_grove

import RemoteMarkdown from '@site/src/components/RemoteMarkdown';

circle-exclamation

🌿 GROVE ONLY

This section is only relevant to Grove's Portal authentication implementation.

If you are not using Grove's Portal authentication, you will likely not find anything of value here.

But feel free to take a look if you're curious.

hashtag
Overview

GUARD contains configurations to implement authentication for PATH in a way that is compatible with Grove's Portal.

This Grove-specific implementation utilizes Envoy Gateway's External Authorization feature, which wraps Envoy Proxy's ext_authz gRPC interface.

hashtag
🫛 PEAS - PATH External Auth Server

PEAS Repoarrow-up-right

PEAS is the Grove-specific implementation of Envoy Gateway's External Authorization feature.

  • This is a gRPC server that is responsible for checking if a request is authorized to access a specific service.

  • Connects to the Grove Portal database to get the auth data and stores in an in-memory cache.

hashtag
Architecture Diagram

graph TD
    User[/"<big>PATH<br>User</big>"\]
    Envoy[<big>Envoy Proxy</big>]

    AUTH["PEAS (PATH External Auth Server)"]
    AUTH_DECISION{Did<br>Authorize<br>Request?}
    PATH[<big>PATH</big>]

    Error[[Error Returned to User]]
    Result[[Result Returned to User]]

    GroveDB[("Grove Portal Database<br>(Postgres)")]

    subgraph AUTH["PEAS<br/>PATH External Auth Server"]
    end

    User -->|1.Send Request| Envoy
    Envoy -.->|2.Authorization Check<br>gRPC| AUTH
    AUTH -.->|3.Authorization Result<br>gRPC| Envoy
    Envoy --> AUTH_DECISION
    AUTH_DECISION -->|4.No <br> Forward Request| Error
    AUTH_DECISION -->|4.Yes <br> Forward Request| PATH
    PATH -->|5.Response| Result

    GroveDB <-->|Postgres Connection| AUTH

hashtag
Enabling Grove Auth

To enable Grove Auth, you need to set the following values in the values.yaml file:

hashtag
PEAS Documentation

hashtag
Grove Portal Database

hashtag
README.md

chevron-rightPEAS README.mdhashtag

hashtag
Documentation References

Helm Charts

For the full GUARD Helm Chart documentation, see GUARD Helm Chart.

For the Grove Auth code in the Helm Charts repo, see:

Envoy External Docs

For an example walkthrough of implementing external authorization with Envoy Gateway, see:

For Envoy Proxy's ext_authz HTTP Filter documentation (how PEAS communicates with Envoy), see:

Previous3_adding_new_archival

Was this helpful?