Protos for RBAC support. (#3133)
Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 13de384ab34428af99c53201f6b3c95991b7ae10pull/620/head
data-plane-api(CircleCI)
7 years ago
parent
a9305063ca
commit
15264bf911
10 changed files with 219 additions and 81 deletions
@ -1,53 +0,0 @@ |
||||
syntax = "proto3"; |
||||
|
||||
// [#proto-status: draft] |
||||
|
||||
package envoy.api.v2.auth; |
||||
option go_package = "auth"; |
||||
|
||||
import "envoy/api/v2/auth/cert.proto"; |
||||
|
||||
import "gogoproto/gogo.proto"; |
||||
|
||||
option (gogoproto.equal_all) = true; |
||||
|
||||
message AuthAction { |
||||
// Should we do white-list or black-list style access control. |
||||
enum ActionType { |
||||
// Request matches all rules are allowed, otherwise denied. |
||||
ALLOW = 0; |
||||
// Request matches all rules or missing required auth fields are denied, |
||||
// otherwise allowed. |
||||
DENY = 1; |
||||
} |
||||
|
||||
ActionType action_type = 1; |
||||
|
||||
// Logic AND that requires all rules match. |
||||
message AndRule { |
||||
repeated Rule rules = 1; |
||||
} |
||||
|
||||
// Logic OR that requires at least one rule matches. |
||||
message OrRule { |
||||
repeated Rule rules = 1; |
||||
} |
||||
|
||||
// Check peer identity using X.509 certificate. |
||||
message X509Rule { |
||||
// How to validate peer certificates. |
||||
CertificateValidationContext validation_context = 3; |
||||
} |
||||
|
||||
// Element type of AndRule/OrRule, it chooses among different type of rule. |
||||
message Rule { |
||||
oneof rule_specifier { |
||||
AndRule and_rule = 1; |
||||
OrRule or_rule = 2; |
||||
X509Rule x509_rule = 3; |
||||
} |
||||
} |
||||
|
||||
// List of rules |
||||
repeated Rule rules = 2; |
||||
} |
||||
@ -0,0 +1,21 @@ |
||||
licenses(["notice"]) # Apache 2 |
||||
|
||||
load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library") |
||||
|
||||
api_proto_library( |
||||
name = "rbac", |
||||
srcs = ["rbac.proto"], |
||||
deps = [ |
||||
"//envoy/api/v2/core:address", |
||||
"//envoy/type:string_match", |
||||
], |
||||
) |
||||
|
||||
api_go_proto_library( |
||||
name = "rbac", |
||||
proto = ":rbac", |
||||
deps = [ |
||||
"//envoy/api/v2/core:address_go_proto", |
||||
"//envoy/type:string_match_go_proto", |
||||
], |
||||
) |
||||
@ -0,0 +1,154 @@ |
||||
syntax = "proto3"; |
||||
|
||||
import "validate/validate.proto"; |
||||
import "envoy/api/v2/core/address.proto"; |
||||
import "envoy/type/string_match.proto"; |
||||
|
||||
package envoy.config.rbac.v2alpha; |
||||
|
||||
// Role Based Access Control (RBAC) provides service-level and method-level access control for a service. |
||||
// The RBAC engine authorizes a request by evaluating the request context (expressed in the form of |
||||
// :ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`) against the RBAC policies. |
||||
// |
||||
// RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy |
||||
// is found (suppose the `action` is ALLOW). |
||||
// |
||||
// Here is an example of RBAC configuration. It has two policies: |
||||
// * Service account "cluster.local/ns/default/sa/admin" has full access (empty permission entry means full access) |
||||
// to the service. |
||||
// * Any user (empty principal entry means any user) can read ("GET") the service at paths with prefix "/products" or |
||||
// suffix "/reviews" when request header "version" set to either "v1" or "v2". |
||||
// |
||||
// action: ALLOW |
||||
// policies: |
||||
// "service-admin": |
||||
// permissions: |
||||
// - |
||||
// principals: |
||||
// authenticated: |
||||
// name: "cluster.local/ns/default/sa/admin" |
||||
// "product-viewer": |
||||
// permissions: |
||||
// - paths: [prefix: "/products", suffix: "/reviews"] |
||||
// methods: ["GET"] |
||||
// conditions: |
||||
// - header: |
||||
// key: "version" |
||||
// values: [simple: "v1", simple: "v2"] |
||||
// principals: |
||||
// - |
||||
// |
||||
message RBAC { |
||||
// Should we do white-list or black-list style access control. |
||||
enum Action { |
||||
// The policies grant access to principals. The rest is denied. This is white-list style |
||||
// access control. This is the default type. |
||||
ALLOW = 0; |
||||
|
||||
// The policies deny access to principals. The rest is allowed. This is black-list style |
||||
// access control. |
||||
DENY = 1; |
||||
} |
||||
|
||||
Action action = 1; |
||||
|
||||
// Maps from policy name to policy. |
||||
map<string, Policy> policies = 2; |
||||
} |
||||
|
||||
// Policy specifies a role and the principals that are assigned/denied the role. |
||||
message Policy { |
||||
// Required. The set of permissions that define a role. |
||||
repeated Permission permissions = 1 [(validate.rules).repeated .min_items = 1]; |
||||
|
||||
// Required. List of principals that are assigned/denied the role based on “action”. |
||||
repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1]; |
||||
} |
||||
|
||||
// Specifies how to match an entry in a map. |
||||
message MapEntryMatch { |
||||
// The key to select an entry from the map. |
||||
string key = 1; |
||||
|
||||
// A list of matched values. |
||||
repeated envoy.type.StringMatch values = 2; |
||||
} |
||||
|
||||
// Specifies how to match IP addresses. |
||||
message IpMatch { |
||||
// IP addresses in CIDR notation. |
||||
repeated envoy.api.v2.core.CidrRange cidrs = 1; |
||||
} |
||||
|
||||
// Specifies how to match ports. |
||||
message PortMatch { |
||||
// Port numbers. |
||||
repeated uint32 ports = 1; |
||||
} |
||||
|
||||
// Permission defines a permission to access the service. |
||||
message Permission { |
||||
// Optional. A list of HTTP paths or gRPC methods. |
||||
// gRPC methods must be presented as fully-qualified name in the form of |
||||
// packageName.serviceName/methodName. |
||||
// If this field is unset, it applies to any path. |
||||
repeated envoy.type.StringMatch paths = 1; |
||||
|
||||
// Required. A list of HTTP methods (e.g., "GET", "POST"). |
||||
// If this field is unset, it applies to any method. |
||||
repeated string methods = 2; |
||||
|
||||
// Definition of a custom condition. |
||||
message Condition { |
||||
oneof condition_spec { |
||||
// Header match. This matches to the "request.http.headers" field in |
||||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. |
||||
// The map key is the header name. The header specifies how the service is accessed. |
||||
MapEntryMatch header = 1; |
||||
|
||||
// Destination IP addresses. |
||||
IpMatch destination_ips = 2; |
||||
|
||||
// Destination ports. |
||||
PortMatch destination_ports = 3; |
||||
} |
||||
} |
||||
|
||||
// Optional. Custom conditions. |
||||
repeated Condition conditions = 3; |
||||
} |
||||
|
||||
// Principal defines an identity or a group of identities. |
||||
message Principal { |
||||
// Authentication attributes for principal. These could be filled out inside RBAC filter. |
||||
// Or if an authentication filter is used, they can be provided by the authentication filter. |
||||
message Authenticated { |
||||
// Optional. The name of the principal. This matches to the "source.principal" field in |
||||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. |
||||
// If unset, it applies to any user. |
||||
string name = 1; |
||||
} |
||||
|
||||
// Optional. Authenticated attributes that identify the principal. |
||||
Authenticated authenticated = 1; |
||||
|
||||
// Definition of a custom attribute to identify the principal. |
||||
message Attribute { |
||||
oneof attribute_spec { |
||||
// Source service name. This matches to the "source.service" field in |
||||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. |
||||
string service = 1; |
||||
|
||||
// Source IP addresses. |
||||
IpMatch source_ips = 2; |
||||
|
||||
// Header match. This matches to the "request.http.headers" field in |
||||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. |
||||
// The map "key" is the header name. The header identifies the client. |
||||
MapEntryMatch header = 3; |
||||
} |
||||
} |
||||
|
||||
// Optional. Custom attributes that identify the principal. |
||||
repeated Attribute attributes = 2; |
||||
} |
||||
@ -0,0 +1,31 @@ |
||||
syntax = "proto3"; |
||||
|
||||
package envoy.type; |
||||
option go_package = "envoy_type"; |
||||
|
||||
import "gogoproto/gogo.proto"; |
||||
|
||||
option (gogoproto.equal_all) = true; |
||||
|
||||
// [#protodoc-title: StringMatch] |
||||
|
||||
// Specifies the way to match a string. |
||||
message StringMatch { |
||||
oneof match_pattern { |
||||
// The input string must match exactly the string specified here. |
||||
// Or it is a "*", which means that it matches any string. |
||||
string simple = 1; |
||||
|
||||
// The input string must have the prefix specified here. |
||||
string prefix = 2; |
||||
|
||||
// The input string must have the suffix specified here. |
||||
string suffix = 3; |
||||
|
||||
// The input string must match the regular expression specified here. |
||||
// The regex grammar is defined `here |
||||
// <http://en.cppreference.com/w/cpp/regex/ecmascript>`_. |
||||
string regex = 4; |
||||
} |
||||
} |
||||
|
||||
Loading…
Reference in new issue