diff --git a/bazel/external_proto_deps.bzl b/bazel/external_proto_deps.bzl index 6b11495d..916f0e1f 100644 --- a/bazel/external_proto_deps.bzl +++ b/bazel/external_proto_deps.bzl @@ -19,8 +19,17 @@ EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = { # This maps from the Bazel proto_library target to the Go language binding target for external dependencies. EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = { - "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto", - "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto", + # Note @com_google_googleapis are point to @go_googleapis. + # + # It is aligned to xDS dependency to suppress the conflicting package heights error between + # @com_github_cncf_udpa//xds/type/matcher/v3:pkg_go_proto + # @envoy_api//envoy/config/rbac/v3:pkg_go_proto + # + # TODO(https://github.com/bazelbuild/rules_go/issues/1986): update to + # @com_google_googleapis when the bug is resolved. Also see the note to + # go_googleapis in https://github.com/bazelbuild/rules_go/blob/master/go/dependencies.rst#overriding-dependencies + "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto", + "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto", "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_go", "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_and_config_proto_go", "@opentelemetry_proto//:logs": "@opentelemetry_proto//:logs_go_proto", diff --git a/envoy/config/rbac/v3/rbac.proto b/envoy/config/rbac/v3/rbac.proto index 8abde899..630ef418 100644 --- a/envoy/config/rbac/v3/rbac.proto +++ b/envoy/config/rbac/v3/rbac.proto @@ -310,3 +310,29 @@ message Principal { Principal not_id = 8; } } + +// Action defines the result of allowance or denial when a request matches the matcher. +message Action { + // The name indicates the policy name. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The action to take if the matcher matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // Actions: + // + // * ALLOW: If the request gets matched on ALLOW, it is permitted. + // * DENY: If the request gets matched on DENY, it is not permitted. + // * LOG: If the request gets matched on LOG, it is permitted. Besides, the + // dynamic metadata key `access_log_hint` under the shared key namespace + // 'envoy.common' will be set to the value `true`. + // * If the request cannot get matched, it will fallback to DENY. + // + // Log behavior: + // + // If the RBAC matcher contains at least one LOG action, the dynamic + // metadata key `access_log_hint` will be set based on if the request + // get matched on the LOG action. + // + RBAC.Action action = 2; +} diff --git a/envoy/extensions/filters/http/rbac/v3/BUILD b/envoy/extensions/filters/http/rbac/v3/BUILD index fd183569..49cb2cca 100644 --- a/envoy/extensions/filters/http/rbac/v3/BUILD +++ b/envoy/extensions/filters/http/rbac/v3/BUILD @@ -8,5 +8,7 @@ api_proto_package( deps = [ "//envoy/config/rbac/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", + "@com_github_cncf_udpa//xds/annotations/v3:pkg", + "@com_github_cncf_udpa//xds/type/matcher/v3:pkg", ], ) diff --git a/envoy/extensions/filters/http/rbac/v3/rbac.proto b/envoy/extensions/filters/http/rbac/v3/rbac.proto index 00881845..eeb505a1 100644 --- a/envoy/extensions/filters/http/rbac/v3/rbac.proto +++ b/envoy/extensions/filters/http/rbac/v3/rbac.proto @@ -4,6 +4,10 @@ package envoy.extensions.filters.http.rbac.v3; import "envoy/config/rbac/v3/rbac.proto"; +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -18,6 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#extension: envoy.filters.http.rbac] // RBAC filter config. +// [#next-free-field: 6] message RBAC { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.rbac.v2.RBAC"; @@ -25,12 +30,33 @@ message RBAC { // Specify the RBAC rules to be applied globally. // If absent, no enforcing RBAC policy will be applied. // If present and empty, DENY. - config.rbac.v3.RBAC rules = 1; + // If both rules and matcher are configured, rules will be ignored. + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // The match tree to use when resolving RBAC action for incoming requests. Requests do not + // match any matcher will be denied. + // If absent, no enforcing RBAC matcher will be applied. + // If present and empty, deny all requests. + xds.type.matcher.v3.Matcher matcher = 4 [ + (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // Shadow rules are not enforced by the filter (i.e., returning a 403) // but will emit stats and logs and can be used for rule testing. // If absent, no shadow RBAC policy will be applied. - config.rbac.v3.RBAC shadow_rules = 2; + // If both shadow rules and shadow matcher are configured, shadow rules will be ignored. + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // The match tree to use for emitting stats and logs which can be used for rule testing for + // incoming requests. + // If absent, no shadow matcher will be applied. + xds.type.matcher.v3.Matcher shadow_matcher = 5 [ + (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // If specified, shadow rules will emit stats with the given prefix. // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with diff --git a/envoy/extensions/filters/network/rbac/v3/BUILD b/envoy/extensions/filters/network/rbac/v3/BUILD index fd183569..49cb2cca 100644 --- a/envoy/extensions/filters/network/rbac/v3/BUILD +++ b/envoy/extensions/filters/network/rbac/v3/BUILD @@ -8,5 +8,7 @@ api_proto_package( deps = [ "//envoy/config/rbac/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", + "@com_github_cncf_udpa//xds/annotations/v3:pkg", + "@com_github_cncf_udpa//xds/type/matcher/v3:pkg", ], ) diff --git a/envoy/extensions/filters/network/rbac/v3/rbac.proto b/envoy/extensions/filters/network/rbac/v3/rbac.proto index 44141f16..823e1827 100644 --- a/envoy/extensions/filters/network/rbac/v3/rbac.proto +++ b/envoy/extensions/filters/network/rbac/v3/rbac.proto @@ -4,6 +4,10 @@ package envoy.extensions.filters.network.rbac.v3; import "envoy/config/rbac/v3/rbac.proto"; +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; @@ -22,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // // Header should not be used in rules/shadow_rules in RBAC network filter as // this information is only available in :ref:`RBAC http filter `. -// [#next-free-field: 6] +// [#next-free-field: 8] message RBAC { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.rbac.v2.RBAC"; @@ -41,12 +45,33 @@ message RBAC { // Specify the RBAC rules to be applied globally. // If absent, no enforcing RBAC policy will be applied. // If present and empty, DENY. - config.rbac.v3.RBAC rules = 1; + // If both rules and matcher are configured, rules will be ignored. + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // The match tree to use when resolving RBAC action for incoming connections. Connections do + // not match any matcher will be denied. + // If absent, no enforcing RBAC matcher will be applied. + // If present and empty, deny all connections. + xds.type.matcher.v3.Matcher matcher = 6 [ + (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // Shadow rules are not enforced by the filter but will emit stats and logs // and can be used for rule testing. // If absent, no shadow RBAC policy will be applied. - config.rbac.v3.RBAC shadow_rules = 2; + // If both shadow rules and shadow matcher are configured, shadow rules will be ignored. + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // The match tree to use for emitting stats and logs which can be used for rule testing for + // incoming connections. + // If absent, no shadow matcher will be applied. + xds.type.matcher.v3.Matcher shadow_matcher = 7 [ + (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // If specified, shadow rules will emit stats with the given prefix. // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with