You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
209 lines
7.8 KiB
209 lines
7.8 KiB
7 years ago
|
syntax = "proto3";
|
||
|
|
||
|
import "validate/validate.proto";
|
||
6 years ago
|
import "gogoproto/gogo.proto";
|
||
7 years ago
|
import "envoy/api/v2/core/address.proto";
|
||
7 years ago
|
import "envoy/api/v2/route/route.proto";
|
||
7 years ago
|
import "envoy/type/matcher/metadata.proto";
|
||
6 years ago
|
import "envoy/type/matcher/string.proto";
|
||
7 years ago
|
|
||
6 years ago
|
package envoy.config.rbac.v2;
|
||
6 years ago
|
|
||
|
option java_outer_classname = "RbacProto";
|
||
|
option java_multiple_files = true;
|
||
6 years ago
|
option java_package = "io.envoyproxy.envoy.config.rbac.v2";
|
||
|
option go_package = "v2";
|
||
7 years ago
|
|
||
6 years ago
|
option (gogoproto.stable_marshaler_all) = true;
|
||
|
|
||
7 years ago
|
// [#protodoc-title: Role Based Access Control (RBAC)]
|
||
|
|
||
7 years ago
|
// Role Based Access Control (RBAC) provides service-level and method-level access control for a
|
||
7 years ago
|
// service. RBAC policies are additive. The policies are examined in order. A request is allowed
|
||
|
// once a matching policy is found (suppose the `action` is ALLOW).
|
||
7 years ago
|
//
|
||
|
// Here is an example of RBAC configuration. It has two policies:
|
||
7 years ago
|
//
|
||
6 years ago
|
// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
|
||
|
// does "cluster.local/ns/default/sa/superuser".
|
||
7 years ago
|
//
|
||
6 years ago
|
// * Any user can read ("GET") the service at paths with prefix "/products", so long as the
|
||
|
// destination port is either 80 or 443.
|
||
7 years ago
|
//
|
||
7 years ago
|
// .. code-block:: yaml
|
||
|
//
|
||
7 years ago
|
// action: ALLOW
|
||
|
// policies:
|
||
|
// "service-admin":
|
||
|
// permissions:
|
||
7 years ago
|
// - any: true
|
||
7 years ago
|
// principals:
|
||
6 years ago
|
// - authenticated:
|
||
|
// principal_name:
|
||
|
// exact: "cluster.local/ns/default/sa/admin"
|
||
|
// - authenticated:
|
||
|
// principal_name:
|
||
|
// exact: "cluster.local/ns/default/sa/superuser"
|
||
7 years ago
|
// "product-viewer":
|
||
|
// permissions:
|
||
7 years ago
|
// - and_rules:
|
||
|
// rules:
|
||
|
// - header: { name: ":method", exact_match: "GET" }
|
||
|
// - header: { name: ":path", regex_match: "/products(/.*)?" }
|
||
|
// - or_rules:
|
||
|
// rules:
|
||
|
// - destination_port: 80
|
||
|
// - destination_port: 443
|
||
7 years ago
|
// principals:
|
||
7 years ago
|
// - any: true
|
||
7 years ago
|
//
|
||
|
message RBAC {
|
||
7 years ago
|
// Should we do safe-list or block-list style access control?
|
||
7 years ago
|
enum Action {
|
||
7 years ago
|
// The policies grant access to principals. The rest is denied. This is safe-list style
|
||
7 years ago
|
// access control. This is the default type.
|
||
|
ALLOW = 0;
|
||
|
|
||
7 years ago
|
// The policies deny access to principals. The rest is allowed. This is block-list style
|
||
7 years ago
|
// access control.
|
||
|
DENY = 1;
|
||
|
}
|
||
|
|
||
7 years ago
|
// The action to take if a policy matches. The request is allowed if and only if:
|
||
|
//
|
||
|
// * `action` is "ALLOWED" and at least one policy matches
|
||
|
// * `action` is "DENY" and none of the policies match
|
||
7 years ago
|
Action action = 1;
|
||
|
|
||
7 years ago
|
// Maps from policy name to policy. A match occurs when at least one policy matches the request.
|
||
7 years ago
|
map<string, Policy> policies = 2;
|
||
|
}
|
||
|
|
||
7 years ago
|
// Policy specifies a role and the principals that are assigned/denied the role. A policy matches if
|
||
|
// and only if at least one of its permissions match the action taking place AND at least one of its
|
||
|
// principals match the downstream.
|
||
7 years ago
|
message Policy {
|
||
7 years ago
|
// Required. The set of permissions that define a role. Each permission is matched with OR
|
||
|
// semantics. To match all actions for this policy, a single Permission with the `any` field set
|
||
|
// to true should be used.
|
||
7 years ago
|
repeated Permission permissions = 1 [(validate.rules).repeated .min_items = 1];
|
||
7 years ago
|
|
||
7 years ago
|
// Required. The set of principals that are assigned/denied the role based on “action”. Each
|
||
|
// principal is matched with OR semantics. To match all downstreams for this policy, a single
|
||
|
// Principal with the `any` field set to true should be used.
|
||
7 years ago
|
repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1];
|
||
7 years ago
|
}
|
||
|
|
||
7 years ago
|
// Permission defines an action (or actions) that a principal can take.
|
||
|
message Permission {
|
||
7 years ago
|
|
||
7 years ago
|
// Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context,
|
||
|
// each are applied with the associated behavior.
|
||
|
message Set {
|
||
|
repeated Permission rules = 1 [(validate.rules).repeated .min_items = 1];
|
||
|
}
|
||
7 years ago
|
|
||
7 years ago
|
oneof rule {
|
||
|
option (validate.required) = true;
|
||
7 years ago
|
|
||
7 years ago
|
// A set of rules that all must match in order to define the action.
|
||
|
Set and_rules = 1;
|
||
7 years ago
|
|
||
7 years ago
|
// A set of rules where at least one must match in order to define the action.
|
||
|
Set or_rules = 2;
|
||
|
|
||
|
// When any is set, it matches any action.
|
||
|
bool any = 3 [(validate.rules).bool.const = true];
|
||
7 years ago
|
|
||
6 years ago
|
// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
|
||
6 years ago
|
// available for HTTP request.
|
||
7 years ago
|
envoy.api.v2.route.HeaderMatcher header = 4;
|
||
|
|
||
|
// A CIDR block that describes the destination IP.
|
||
|
envoy.api.v2.core.CidrRange destination_ip = 5;
|
||
|
|
||
|
// A port number that describes the destination port connecting to.
|
||
|
uint32 destination_port = 6 [(validate.rules).uint32.lte = 65535];
|
||
7 years ago
|
|
||
6 years ago
|
// Metadata that describes additional information about the action.
|
||
7 years ago
|
envoy.type.matcher.MetadataMatcher metadata = 7;
|
||
7 years ago
|
|
||
|
// Negates matching the provided permission. For instance, if the value of `not_rule` would
|
||
|
// match, this permission would not match. Conversely, if the value of `not_rule` would not
|
||
|
// match, this permission would match.
|
||
|
Permission not_rule = 8;
|
||
6 years ago
|
|
||
|
// The request server from the client's connection request. This is
|
||
|
// typically TLS SNI.
|
||
|
//
|
||
|
// .. attention::
|
||
|
//
|
||
|
// The behavior of this field may be affected by how Envoy is configured
|
||
|
// as explained below.
|
||
|
//
|
||
|
// * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
|
||
|
// filter is not added, and if a `FilterChainMatch` is not defined for
|
||
|
// the :ref:`server name <envoy_api_field_Listener.FilterChainMatch.server_names>`,
|
||
|
// a TLS connection's requested SNI server name will be treated as if it
|
||
|
// wasn't present.
|
||
|
//
|
||
|
// * A :ref:`listener filter <arch_overview_listener_filters>` may
|
||
|
// overwrite a connection's requested server name within Envoy.
|
||
|
//
|
||
|
// Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
|
||
|
// setup SNI.
|
||
|
envoy.type.matcher.StringMatcher requested_server_name = 9;
|
||
7 years ago
|
}
|
||
7 years ago
|
}
|
||
|
|
||
7 years ago
|
// Principal defines an identity or a group of identities for a downstream subject.
|
||
7 years ago
|
message Principal {
|
||
7 years ago
|
|
||
|
// Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context,
|
||
|
// each are applied with the associated behavior.
|
||
|
message Set {
|
||
|
repeated Principal ids = 1 [(validate.rules).repeated .min_items = 1];
|
||
|
}
|
||
|
|
||
|
// Authentication attributes for a downstream.
|
||
7 years ago
|
message Authenticated {
|
||
6 years ago
|
reserved 1;
|
||
|
reserved "name";
|
||
|
|
||
|
// The name of the principal. If set, The URI SAN is used from the certificate, otherwise the
|
||
7 years ago
|
// subject field is used. If unset, it applies to any user that is authenticated.
|
||
6 years ago
|
envoy.type.matcher.StringMatcher principal_name = 2;
|
||
7 years ago
|
}
|
||
|
|
||
7 years ago
|
oneof identifier {
|
||
|
option (validate.required) = true;
|
||
7 years ago
|
|
||
7 years ago
|
// A set of identifiers that all must match in order to define the downstream.
|
||
|
Set and_ids = 1;
|
||
7 years ago
|
|
||
7 years ago
|
// A set of identifiers at least one must match in order to define the downstream.
|
||
|
Set or_ids = 2;
|
||
7 years ago
|
|
||
7 years ago
|
// When any is set, it matches any downstream.
|
||
|
bool any = 3 [(validate.rules).bool.const = true];
|
||
|
|
||
|
// Authenticated attributes that identify the downstream.
|
||
|
Authenticated authenticated = 4;
|
||
7 years ago
|
|
||
7 years ago
|
// A CIDR block that describes the downstream IP.
|
||
|
envoy.api.v2.core.CidrRange source_ip = 5;
|
||
|
|
||
6 years ago
|
// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
|
||
6 years ago
|
// available for HTTP request.
|
||
7 years ago
|
envoy.api.v2.route.HeaderMatcher header = 6;
|
||
7 years ago
|
|
||
6 years ago
|
// Metadata that describes additional information about the principal.
|
||
7 years ago
|
envoy.type.matcher.MetadataMatcher metadata = 7;
|
||
7 years ago
|
|
||
|
// Negates matching the provided principal. For instance, if the value of `not_id` would match,
|
||
|
// this principal would not match. Conversely, if the value of `not_id` would not match, this
|
||
|
// principal would match.
|
||
|
Principal not_id = 8;
|
||
7 years ago
|
}
|
||
7 years ago
|
}
|