-
Notifications
You must be signed in to change notification settings - Fork 4.7k
/
rbac.proto
76 lines (61 loc) · 3 KB
/
rbac.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
syntax = "proto3";
package envoy.extensions.filters.http.rbac.v3;
import "envoy/config/rbac/v3/rbac.proto";
import "xds/annotations/v3/status.proto";
import "xds/type/matcher/v3/matcher.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
option java_package = "io.envoyproxy.envoy.extensions.filters.http.rbac.v3";
option java_outer_classname = "RbacProto";
option java_multiple_files = true;
option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3;rbacv3";
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: RBAC]
// Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
// [#extension: envoy.filters.http.rbac]
// RBAC filter config.
// [#next-free-field: 6]
message RBAC {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.http.rbac.v2.RBAC";
// Specify the RBAC rules to be applied globally.
// If absent, no enforcing RBAC policy will be applied.
// If present and empty, DENY.
// If both rules and matcher are configured, rules will be ignored.
config.rbac.v3.RBAC rules = 1
[(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];
// The match tree to use when resolving RBAC action for incoming requests. Requests do not
// match any matcher will be denied.
// If absent, no enforcing RBAC matcher will be applied.
// If present and empty, deny all requests.
xds.type.matcher.v3.Matcher matcher = 4 [
(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier",
(xds.annotations.v3.field_status).work_in_progress = true
];
// Shadow rules are not enforced by the filter (i.e., returning a 403)
// but will emit stats and logs and can be used for rule testing.
// If absent, no shadow RBAC policy will be applied.
// If both shadow rules and shadow matcher are configured, shadow rules will be ignored.
config.rbac.v3.RBAC shadow_rules = 2
[(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"];
// The match tree to use for emitting stats and logs which can be used for rule testing for
// incoming requests.
// If absent, no shadow matcher will be applied.
xds.type.matcher.v3.Matcher shadow_matcher = 5 [
(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier",
(xds.annotations.v3.field_status).work_in_progress = true
];
// If specified, shadow rules will emit stats with the given prefix.
// This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
// shadow rules.
string shadow_rules_stat_prefix = 3;
}
message RBACPerRoute {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.http.rbac.v2.RBACPerRoute";
reserved 1;
// Override the global configuration of the filter with this new config.
// If absent, the global RBAC policy will be disabled for this route.
RBAC rbac = 2;
}