Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity
[READ ONLY MIRROR] Envoy REST/proto API definitions and documentation. (grpc依赖)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
496 Commits
2 Branches
0 Tags
17 MiB
Tag: Branch: Tree: 8e72927c31
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8e72927c31'
${ noResults }
data-plane-api/envoy/config/rbac/v2alpha/rbac.proto

155 lines
5.3 KiB
Raw Normal View History Unescape

Protos for RBAC support. (#3133) Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10
7 years ago
syntax = "proto3";
import "validate/validate.proto";
import "envoy/api/v2/core/address.proto";
import "envoy/type/string_match.proto";
package envoy.config.rbac.v2alpha;
// Role Based Access Control (RBAC) provides service-level and method-level access control for a service.
// The RBAC engine authorizes a request by evaluating the request context (expressed in the form of
// :ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`) against the RBAC policies.
//
// RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy
// is found (suppose the `action` is ALLOW).
//
// Here is an example of RBAC configuration. It has two policies:
// * Service account "cluster.local/ns/default/sa/admin" has full access (empty permission entry means full access)
// to the service.
// * Any user (empty principal entry means any user) can read ("GET") the service at paths with prefix "/products" or
// suffix "/reviews" when request header "version" set to either "v1" or "v2".
//
// action: ALLOW
// policies:
// "service-admin":
// permissions:
// -
// principals:
// authenticated:
// name: "cluster.local/ns/default/sa/admin"
// "product-viewer":
// permissions:
// - paths: [prefix: "/products", suffix: "/reviews"]
// methods: ["GET"]
// conditions:
// - header:
// key: "version"
// values: [simple: "v1", simple: "v2"]
// principals:
// -
//
message RBAC {
// Should we do white-list or black-list style access control.
enum Action {
// The policies grant access to principals. The rest is denied. This is white-list style
// access control. This is the default type.
ALLOW = 0;
// The policies deny access to principals. The rest is allowed. This is black-list style
// access control.
DENY = 1;
}
Action action = 1;
// Maps from policy name to policy.
map<string, Policy> policies = 2;
}
// Policy specifies a role and the principals that are assigned/denied the role.
message Policy {
// Required. The set of permissions that define a role.
repeated Permission permissions = 1 [(validate.rules).repeated .min_items = 1];
// Required. List of principals that are assigned/denied the role based on “action”.
repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1];
}
// Specifies how to match an entry in a map.
message MapEntryMatch {
// The key to select an entry from the map.
string key = 1;
// A list of matched values.
repeated envoy.type.StringMatch values = 2;
}
// Specifies how to match IP addresses.
message IpMatch {
// IP addresses in CIDR notation.
repeated envoy.api.v2.core.CidrRange cidrs = 1;
}
// Specifies how to match ports.
message PortMatch {
// Port numbers.
repeated uint32 ports = 1;
}
// Permission defines a permission to access the service.
message Permission {
// Optional. A list of HTTP paths or gRPC methods.
// gRPC methods must be presented as fully-qualified name in the form of
// packageName.serviceName/methodName.
// If this field is unset, it applies to any path.
repeated envoy.type.StringMatch paths = 1;
// Required. A list of HTTP methods (e.g., "GET", "POST").
// If this field is unset, it applies to any method.
repeated string methods = 2;
// Definition of a custom condition.
message Condition {
oneof condition_spec {
// Header match. This matches to the "request.http.headers" field in
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
// The map key is the header name. The header specifies how the service is accessed.
MapEntryMatch header = 1;
// Destination IP addresses.
IpMatch destination_ips = 2;
// Destination ports.
PortMatch destination_ports = 3;
}
}
// Optional. Custom conditions.
repeated Condition conditions = 3;
}
// Principal defines an identity or a group of identities.
message Principal {
// Authentication attributes for principal. These could be filled out inside RBAC filter.
// Or if an authentication filter is used, they can be provided by the authentication filter.
message Authenticated {
// Optional. The name of the principal. This matches to the "source.principal" field in
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
// If unset, it applies to any user.
string name = 1;
}
// Optional. Authenticated attributes that identify the principal.
Authenticated authenticated = 1;
// Definition of a custom attribute to identify the principal.
message Attribute {
oneof attribute_spec {
// Source service name. This matches to the "source.service" field in
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
string service = 1;
// Source IP addresses.
IpMatch source_ips = 2;
// Header match. This matches to the "request.http.headers" field in
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`.
// The map "key" is the header name. The header identifies the client.
MapEntryMatch header = 3;
}
}
// Optional. Custom attributes that identify the principal.
repeated Attribute attributes = 2;
}