Chiebot-Mirror
/
data-plane-api
mirror of https://github.com/envoyproxy/data-plane-api.git
8
0
Fork 0
Code Issues Projects Releases Wiki Activity

Enable metadata for Network::RBAC (#5106)

Browse Source 
Signed-off-by: Shriram Rajagopalan <shriramr@vmware.com>

Mirrored from https://github.com/envoyproxy/envoy @ 87d1c78ac483f34e87713628beeccb58b4cfd480
pull/620/head
data-plane-api(CircleCI) 6 years ago
parent 99eee5d7ce
commit 1c39756dde
2 changed files with 21 additions and 5 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 20
      envoy/config/filter/network/rbac/v2/rbac.proto
  2. 6
      envoy/config/rbac/v2alpha/rbac.proto

20
envoy/config/filter/network/rbac/v2/rbac.proto
Unescape View File

@ -13,7 +13,7 @@ import "gogoproto/gogo.proto";
// RBAC network filter config. // RBAC network filter config.
// //
// Header and Metadata should not be used in rules/shadow_rules in RBAC network filter as // Header should not be used in rules/shadow_rules in RBAC network filter as
// this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`. // this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`.
message RBAC { message RBAC {
// Specify the RBAC rules to be applied globally. // Specify the RBAC rules to be applied globally.
@ -27,4 +27,22 @@ message RBAC {
// The prefix to use when emitting statistics. // The prefix to use when emitting statistics.
string stat_prefix = 3 [(validate.rules).string.min_bytes = 1]; string stat_prefix = 3 [(validate.rules).string.min_bytes = 1];
enum EnforcementType {
// Apply RBAC policies when the first byte of data arrives on the connection.
ONE_TIME_ON_FIRST_BYTE = 0;
// Continuously apply RBAC policies as data arrives. Use this mode when
// using RBAC with message oriented protocols such as Mongo, MySQL, Kafka,
// etc. when the protocol decoders emit dynamic metadata such as the
// resources being accessed and the operations on the resources.
CONTINUOUS = 1;
};
// RBAC enforcement strategy. By default RBAC will be enforced only once
// when the first byte of data arrives from the downstream. When used in
// conjunction with filters that emit dynamic metadata after decoding
// every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to
// CONTINUOUS to enforce RBAC policies on every message boundary.
EnforcementType enforcement_type = 4;
} }

6
envoy/config/rbac/v2alpha/rbac.proto
Unescape View File

@ -118,8 +118,7 @@ message Permission {
// A port number that describes the destination port connecting to. // A port number that describes the destination port connecting to.
uint32 destination_port = 6 [(validate.rules).uint32.lte = 65535]; uint32 destination_port = 6 [(validate.rules).uint32.lte = 65535];
// Metadata that describes additional information about the action. Only available for HTTP // Metadata that describes additional information about the action.
// request.
envoy.type.matcher.MetadataMatcher metadata = 7; envoy.type.matcher.MetadataMatcher metadata = 7;
// Negates matching the provided permission. For instance, if the value of `not_rule` would // Negates matching the provided permission. For instance, if the value of `not_rule` would
@ -191,8 +190,7 @@ message Principal {
// available for HTTP request. // available for HTTP request.
envoy.api.v2.route.HeaderMatcher header = 6; envoy.api.v2.route.HeaderMatcher header = 6;
// Metadata that describes additional information about the principal. Only available for HTTP // Metadata that describes additional information about the principal.
// request.
envoy.type.matcher.MetadataMatcher metadata = 7; envoy.type.matcher.MetadataMatcher metadata = 7;
// Negates matching the provided principal. For instance, if the value of `not_id` would match, // Negates matching the provided principal. For instance, if the value of `not_id` would match,

Write Preview
Loading…
Cancel
Save