Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
[READ ONLY MIRROR] Envoy REST/proto API definitions and documentation. (grpc依赖)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1047 Commits
2 Branches
0 Tags
18 MiB
Tag: Branch: Tree: 4d1ee75a0f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4d1ee75a0f'
${ noResults }
data-plane-api/envoy/config/rbac/v2/BUILD

37 lines
1.1 KiB
Raw Normal View History Unescape

Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
licenses(["notice"]) # Apache 2
fix bazel query (#5886) fix bazel query Risk Level: Low Testing: built //source/exe:envoy-static Signed-off-by: Dan Rosen <mergeconflict@google.com> Mirrored from https://github.com/envoyproxy/envoy @ d841d20b101584786d4d44190a78da313768b146
6 years ago
load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library_internal")
Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
Fixes #3756 by creating a new api_proto_library_internal build rule that (#3764) adds the required visibility rules and delegates the rest to the generic api_proto_library. I tested the change by doing the following without getting errors. ./ci/run_envoy_docker.sh './ci/do_ci.sh docs' I changed the BUILD files using the following commands. /envoy/api$ find . -type f -name BUILD | xargs sed -i -e 's/api_proto_library(/api_proto_library_internal(/g' envoy/api$ find . -type f -name BUILD | xargs sed -i -e 's/"api_proto_library"/"api_proto_library_internal"/g' Signed-off-by: mickey <mickeyju@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 4b871c0ab9350882271a490adcee44e613ed9807
7 years ago
api_proto_library_internal(
Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
name = "rbac",
srcs = ["rbac.proto"],
filter: add conditions to access control filter (#7716) Introduces a generic expression-based admission filter using https://github.com/google/cel-cpp. This is a follow-up to discussion in https://github.com/envoyproxy/envoy/issues/6751. The advantage of this approach is: 1. Un-opinionated about the policy structure since the only config is an expression. This is friendly towards control planes which can bear the complexity of translation, analysis, and evolution of policies. 2. Multi-language, CEL supports go, java, and c++ runtimes. 3. Inter-operability with other filters using request `metadata`. Companion filters can populate metadata about requests and resources that affect policy decisions. 4. Generic utility, it can be used for custom metric labels, access log entries, etc. The dis-advantage of this approach is that its performance is lower than domain-optimized interpreters. On a fair example, the interpreter evaluates in around 1ms (see https://github.com/google/cel-cpp/blob/master/eval/tests/benchmark_test.cc#L591) vs ~150ns for hand-written C++ native code. There is space for improvement (especially if WASM can be used as a compilation target), but ultimately the generic expression form carries a cost. Conditions are added to support RBAC filter for complementing the existing principal/permission model. They add support for the extended checks (e.g. time of query, resource-bound), but add no cost unless used. Description: add expression-based admission filter Risk Level: low Testing: Docs Changes: Release Notes: Signed-off-by: Kuat Yessenov <kuat@google.com> Mirrored from https://github.com/envoyproxy/envoy @ f90e1b08ac5b4973c45a6529780ebdd211ff901f
5 years ago
external_cc_proto_deps = [
"@com_google_googleapis//google/api/expr/v1alpha1:syntax_cc_proto",
],
external_proto_deps = [
"@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto",
],
external_py_proto_deps = [
"@com_google_googleapis//google/api/expr/v1alpha1:syntax_py_proto",
],
authz: RBAC filter config PBs + flexibility changes (#3477) Signed-off-by: Chris Roche <croche@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 9d0f0a844d070ce01f7106b8926e539c4cbe49b1
7 years ago
visibility = ["//visibility:public"],
Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
deps = [
"//envoy/api/v2/core:address",
authz: RBAC filter config PBs + flexibility changes (#3477) Signed-off-by: Chris Roche <croche@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 9d0f0a844d070ce01f7106b8926e539c4cbe49b1
7 years ago
"//envoy/api/v2/route",
rbac: add metadata support to rbac filter (#3638) Signed-off-by: Yangmin Zhu <ymzhu@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 9e7a3ab6fdf4c55557c3a06a6f7f1fa9c7a4ad7e
7 years ago
"//envoy/type/matcher:metadata",
rbac: update the authenticated.user to a StringMatcher. (#4250) This PR added a new principal_name of type StringMatcher to rbac Authenticated and mark the existing user field as deprecated. This gives us more flexibility to express more matching rules against peer certificate. Risk Level: Low Testing: Added unit tests Signed-off-by: Yangmin Zhu <ymzhu@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 5d731878fd0134ca15d5904450a64dab0ff577a9
6 years ago
"//envoy/type/matcher:string",
Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
],
)
api_go_proto_library(
name = "rbac",
proto = ":rbac",
deps = [
"//envoy/api/v2/core:address_go_proto",
authz: RBAC filter config PBs + flexibility changes (#3477) Signed-off-by: Chris Roche <croche@lyft.com> Mirrored from https://github.com/envoyproxy/envoy @ 9d0f0a844d070ce01f7106b8926e539c4cbe49b1
7 years ago
"//envoy/api/v2/route:route_go_proto",
rbac: add metadata support to rbac filter (#3638) Signed-off-by: Yangmin Zhu <ymzhu@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 9e7a3ab6fdf4c55557c3a06a6f7f1fa9c7a4ad7e
7 years ago
"//envoy/type/matcher:metadata_go_proto",
rbac: update the authenticated.user to a StringMatcher. (#4250) This PR added a new principal_name of type StringMatcher to rbac Authenticated and mark the existing user field as deprecated. This gives us more flexibility to express more matching rules against peer certificate. Risk Level: Low Testing: Added unit tests Signed-off-by: Yangmin Zhu <ymzhu@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 5d731878fd0134ca15d5904450a64dab0ff577a9
6 years ago
"//envoy/type/matcher:string_go_proto",
filter: add conditions to access control filter (#7716) Introduces a generic expression-based admission filter using https://github.com/google/cel-cpp. This is a follow-up to discussion in https://github.com/envoyproxy/envoy/issues/6751. The advantage of this approach is: 1. Un-opinionated about the policy structure since the only config is an expression. This is friendly towards control planes which can bear the complexity of translation, analysis, and evolution of policies. 2. Multi-language, CEL supports go, java, and c++ runtimes. 3. Inter-operability with other filters using request `metadata`. Companion filters can populate metadata about requests and resources that affect policy decisions. 4. Generic utility, it can be used for custom metric labels, access log entries, etc. The dis-advantage of this approach is that its performance is lower than domain-optimized interpreters. On a fair example, the interpreter evaluates in around 1ms (see https://github.com/google/cel-cpp/blob/master/eval/tests/benchmark_test.cc#L591) vs ~150ns for hand-written C++ native code. There is space for improvement (especially if WASM can be used as a compilation target), but ultimately the generic expression form carries a cost. Conditions are added to support RBAC filter for complementing the existing principal/permission model. They add support for the extended checks (e.g. time of query, resource-bound), but add no cost unless used. Description: add expression-based admission filter Risk Level: low Testing: Docs Changes: Release Notes: Signed-off-by: Kuat Yessenov <kuat@google.com> Mirrored from https://github.com/envoyproxy/envoy @ f90e1b08ac5b4973c45a6529780ebdd211ff901f
5 years ago
"@com_google_googleapis//google/api/expr/v1alpha1:cel_go_proto",
Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
],
)