diff --git a/bazel/api_build_system.bzl b/bazel/api_build_system.bzl index 9eb8e434..d9a3e2d9 100644 --- a/bazel/api_build_system.bzl +++ b/bazel/api_build_system.bzl @@ -23,13 +23,13 @@ def _LibrarySuffix(library_name, suffix): # TODO(htuch): Convert this to native py_proto_library once # https://github.com/bazelbuild/bazel/issues/3935 and/or # https://github.com/bazelbuild/bazel/issues/2626 are resolved. -def api_py_proto_library(name, srcs = [], deps = [], has_services = 0): +def api_py_proto_library(name, srcs = [], deps = [], external_py_proto_deps = [], has_services = 0): _py_proto_library( name = _Suffix(name, _PY_SUFFIX), srcs = srcs, default_runtime = "@com_google_protobuf//:protobuf_python", protoc = "@com_google_protobuf//:protoc", - deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + [ + deps = [_LibrarySuffix(d, _PY_SUFFIX) for d in deps] + external_py_proto_deps + [ "@com_envoyproxy_protoc_gen_validate//validate:validate_py", "@com_google_googleapis//google/rpc:status_py_proto", "@com_google_googleapis//google/api:annotations_py_proto", @@ -116,6 +116,7 @@ def api_proto_library( deps = [], external_proto_deps = [], external_cc_proto_deps = [], + external_py_proto_deps = [], has_services = 0, linkstatic = None, require_py = 1): @@ -152,7 +153,7 @@ def api_proto_library( ) py_export_suffixes = [] if (require_py == 1): - api_py_proto_library(name, srcs, deps, has_services) + api_py_proto_library(name, srcs, deps, external_py_proto_deps, has_services) py_export_suffixes = ["_py", "_py_genproto"] # Allow unlimited visibility for consumers diff --git a/envoy/config/rbac/v2/BUILD b/envoy/config/rbac/v2/BUILD index c2059893..fac50eb6 100644 --- a/envoy/config/rbac/v2/BUILD +++ b/envoy/config/rbac/v2/BUILD @@ -5,6 +5,15 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_go_proto_library", "api_prot api_proto_library_internal( name = "rbac", srcs = ["rbac.proto"], + external_cc_proto_deps = [ + "@com_google_googleapis//google/api/expr/v1alpha1:syntax_cc_proto", + ], + external_proto_deps = [ + "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto", + ], + external_py_proto_deps = [ + "@com_google_googleapis//google/api/expr/v1alpha1:syntax_py_proto", + ], visibility = ["//visibility:public"], deps = [ "//envoy/api/v2/core:address", @@ -22,5 +31,6 @@ api_go_proto_library( "//envoy/api/v2/route:route_go_proto", "//envoy/type/matcher:metadata_go_proto", "//envoy/type/matcher:string_go_proto", + "@com_google_googleapis//google/api/expr/v1alpha1:cel_go_proto", ], ) diff --git a/envoy/config/rbac/v2/rbac.proto b/envoy/config/rbac/v2/rbac.proto index 77e1aa68..15554e56 100644 --- a/envoy/config/rbac/v2/rbac.proto +++ b/envoy/config/rbac/v2/rbac.proto @@ -7,6 +7,8 @@ import "envoy/api/v2/route/route.proto"; import "envoy/type/matcher/metadata.proto"; import "envoy/type/matcher/string.proto"; +import "google/api/expr/v1alpha1/syntax.proto"; + package envoy.config.rbac.v2; option java_outer_classname = "RbacProto"; @@ -81,7 +83,7 @@ message RBAC { // Policy specifies a role and the principals that are assigned/denied the role. A policy matches if // and only if at least one of its permissions match the action taking place AND at least one of its -// principals match the downstream. +// principals match the downstream AND the condition is true if specified. message Policy { // Required. The set of permissions that define a role. Each permission is matched with OR // semantics. To match all actions for this policy, a single Permission with the `any` field set @@ -92,6 +94,10 @@ message Policy { // principal is matched with OR semantics. To match all downstreams for this policy, a single // Principal with the `any` field set to true should be used. repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1]; + + // An optional symbolic expression specifying an access control condition. + // The condition is combined with AND semantics. + google.api.expr.v1alpha1.Expr condition = 3; } // Permission defines an action (or actions) that a principal can take.