rbac: add support for SNI based permissions (#4662)

This commit adds support for SNI based permissions by matching over a connection's requested server name. Signed-off-by: Venil Noronha <veniln@vmware.com> Mirrored from https://github.com/envoyproxy/envoy @ 811ee0dc52951acf2f66190587f92394473c245c
6 years ago · 4406edd4e2
parent cd0ef756db
commit 4406edd4e2
1 changed files with 21 additions and 0 deletions
--- a/envoy/config/rbac/v2alpha/rbac.proto
+++ b/envoy/config/rbac/v2alpha/rbac.proto
@ -126,6 +126,27 @@ message Permission {
    // match, this permission would not match. Conversely, if the value of `not_rule` would not
    // match, this permission would match.
    Permission not_rule = 8;
    // The request server from the client's connection request. This is
    // typically TLS SNI.
    //
    // .. attention::
    //
    //   The behavior of this field may be affected by how Envoy is configured
    //   as explained below.
    //
    //   * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
    //     filter is not added, and if a `FilterChainMatch` is not defined for
    //     the :ref:`server name <envoy_api_field_Listener.FilterChainMatch.server_names>`,
    //     a TLS connection's requested SNI server name will be treated as if it
    //     wasn't present.
    //
    //   * A :ref:`listener filter <arch_overview_listener_filters>` may
    //     overwrite a connection's requested server name within Envoy.
    //
    // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
    // setup SNI.
    envoy.type.matcher.StringMatcher requested_server_name = 9;
  }
 }