From 734944dcd58399a87fd514237264371b8cb6f45b Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Fri, 17 Jun 2022 00:38:27 +0000 Subject: [PATCH] rbac: add unified matcher for RBAC filters (#20877) Signed-off-by: Xie Zhihao zhihao.xie@intel.com Commit Message: rbac: add unified matcher for RBAC filters Additional Description: The patch add the matching API support for both RBAC network filter and HTTP filter. Users can configure rules and shadow rules in either policies or the matching API manner. There are some incompatibilities, TODOs and behavior changes compared to the policies way. RBAC matchers are not compatible with the matching API. URL path and CEL are not supported in the matching API. These matchers may come as custom matcher. Metadata is not supported in the matching API. These matchers may come as inputs. Connections and requests with no matcher matched will always be denied. Risk Level: Medium Testing: Unit and integration Docs Changes: API and configuration Release Notes: WIP Platform Specific Features: N/A Fixes #20623 Mirrored from https://github.com/envoyproxy/envoy @ 42cb84456d53d053eb1ae94680d07a74f4545a48 --- bazel/external_proto_deps.bzl | 13 ++++++-- envoy/config/rbac/v3/rbac.proto | 26 ++++++++++++++++ envoy/extensions/filters/http/rbac/v3/BUILD | 2 ++ .../filters/http/rbac/v3/rbac.proto | 30 ++++++++++++++++-- .../extensions/filters/network/rbac/v3/BUILD | 2 ++ .../filters/network/rbac/v3/rbac.proto | 31 +++++++++++++++++-- 6 files changed, 97 insertions(+), 7 deletions(-) diff --git a/bazel/external_proto_deps.bzl b/bazel/external_proto_deps.bzl index 6b11495d..916f0e1f 100644 --- a/bazel/external_proto_deps.bzl +++ b/bazel/external_proto_deps.bzl @@ -19,8 +19,17 @@ EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = { # This maps from the Bazel proto_library target to the Go language binding target for external dependencies. EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = { - "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto", - "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto", + # Note @com_google_googleapis are point to @go_googleapis. + # + # It is aligned to xDS dependency to suppress the conflicting package heights error between + # @com_github_cncf_udpa//xds/type/matcher/v3:pkg_go_proto + # @envoy_api//envoy/config/rbac/v3:pkg_go_proto + # + # TODO(https://github.com/bazelbuild/rules_go/issues/1986): update to + # @com_google_googleapis when the bug is resolved. Also see the note to + # go_googleapis in https://github.com/bazelbuild/rules_go/blob/master/go/dependencies.rst#overriding-dependencies + "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto", + "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto", "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_go", "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_and_config_proto_go", "@opentelemetry_proto//:logs": "@opentelemetry_proto//:logs_go_proto", diff --git a/envoy/config/rbac/v3/rbac.proto b/envoy/config/rbac/v3/rbac.proto index 8abde899..630ef418 100644 --- a/envoy/config/rbac/v3/rbac.proto +++ b/envoy/config/rbac/v3/rbac.proto @@ -310,3 +310,29 @@ message Principal { Principal not_id = 8; } } + +// Action defines the result of allowance or denial when a request matches the matcher. +message Action { + // The name indicates the policy name. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The action to take if the matcher matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // Actions: + // + // * ALLOW: If the request gets matched on ALLOW, it is permitted. + // * DENY: If the request gets matched on DENY, it is not permitted. + // * LOG: If the request gets matched on LOG, it is permitted. Besides, the + // dynamic metadata key `access_log_hint` under the shared key namespace + // 'envoy.common' will be set to the value `true`. + // * If the request cannot get matched, it will fallback to DENY. + // + // Log behavior: + // + // If the RBAC matcher contains at least one LOG action, the dynamic + // metadata key `access_log_hint` will be set based on if the request + // get matched on the LOG action. + // + RBAC.Action action = 2; +} diff --git a/envoy/extensions/filters/http/rbac/v3/BUILD b/envoy/extensions/filters/http/rbac/v3/BUILD index fd183569..49cb2cca 100644 --- a/envoy/extensions/filters/http/rbac/v3/BUILD +++ b/envoy/extensions/filters/http/rbac/v3/BUILD @@ -8,5 +8,7 @@ api_proto_package( deps = [ "//envoy/config/rbac/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", + "@com_github_cncf_udpa//xds/annotations/v3:pkg", + "@com_github_cncf_udpa//xds/type/matcher/v3:pkg", ], ) diff --git a/envoy/extensions/filters/http/rbac/v3/rbac.proto b/envoy/extensions/filters/http/rbac/v3/rbac.proto index 00881845..eeb505a1 100644 --- a/envoy/extensions/filters/http/rbac/v3/rbac.proto +++ b/envoy/extensions/filters/http/rbac/v3/rbac.proto @@ -4,6 +4,10 @@ package envoy.extensions.filters.http.rbac.v3; import "envoy/config/rbac/v3/rbac.proto"; +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; @@ -18,6 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#extension: envoy.filters.http.rbac] // RBAC filter config. +// [#next-free-field: 6] message RBAC { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.rbac.v2.RBAC"; @@ -25,12 +30,33 @@ message RBAC { // Specify the RBAC rules to be applied globally. // If absent, no enforcing RBAC policy will be applied. // If present and empty, DENY. - config.rbac.v3.RBAC rules = 1; + // If both rules and matcher are configured, rules will be ignored. + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // The match tree to use when resolving RBAC action for incoming requests. Requests do not + // match any matcher will be denied. + // If absent, no enforcing RBAC matcher will be applied. + // If present and empty, deny all requests. + xds.type.matcher.v3.Matcher matcher = 4 [ + (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // Shadow rules are not enforced by the filter (i.e., returning a 403) // but will emit stats and logs and can be used for rule testing. // If absent, no shadow RBAC policy will be applied. - config.rbac.v3.RBAC shadow_rules = 2; + // If both shadow rules and shadow matcher are configured, shadow rules will be ignored. + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // The match tree to use for emitting stats and logs which can be used for rule testing for + // incoming requests. + // If absent, no shadow matcher will be applied. + xds.type.matcher.v3.Matcher shadow_matcher = 5 [ + (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // If specified, shadow rules will emit stats with the given prefix. // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with diff --git a/envoy/extensions/filters/network/rbac/v3/BUILD b/envoy/extensions/filters/network/rbac/v3/BUILD index fd183569..49cb2cca 100644 --- a/envoy/extensions/filters/network/rbac/v3/BUILD +++ b/envoy/extensions/filters/network/rbac/v3/BUILD @@ -8,5 +8,7 @@ api_proto_package( deps = [ "//envoy/config/rbac/v3:pkg", "@com_github_cncf_udpa//udpa/annotations:pkg", + "@com_github_cncf_udpa//xds/annotations/v3:pkg", + "@com_github_cncf_udpa//xds/type/matcher/v3:pkg", ], ) diff --git a/envoy/extensions/filters/network/rbac/v3/rbac.proto b/envoy/extensions/filters/network/rbac/v3/rbac.proto index 44141f16..823e1827 100644 --- a/envoy/extensions/filters/network/rbac/v3/rbac.proto +++ b/envoy/extensions/filters/network/rbac/v3/rbac.proto @@ -4,6 +4,10 @@ package envoy.extensions.filters.network.rbac.v3; import "envoy/config/rbac/v3/rbac.proto"; +import "xds/annotations/v3/status.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; @@ -22,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // // Header should not be used in rules/shadow_rules in RBAC network filter as // this information is only available in :ref:`RBAC http filter `. -// [#next-free-field: 6] +// [#next-free-field: 8] message RBAC { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.rbac.v2.RBAC"; @@ -41,12 +45,33 @@ message RBAC { // Specify the RBAC rules to be applied globally. // If absent, no enforcing RBAC policy will be applied. // If present and empty, DENY. - config.rbac.v3.RBAC rules = 1; + // If both rules and matcher are configured, rules will be ignored. + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // The match tree to use when resolving RBAC action for incoming connections. Connections do + // not match any matcher will be denied. + // If absent, no enforcing RBAC matcher will be applied. + // If present and empty, deny all connections. + xds.type.matcher.v3.Matcher matcher = 6 [ + (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // Shadow rules are not enforced by the filter but will emit stats and logs // and can be used for rule testing. // If absent, no shadow RBAC policy will be applied. - config.rbac.v3.RBAC shadow_rules = 2; + // If both shadow rules and shadow matcher are configured, shadow rules will be ignored. + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // The match tree to use for emitting stats and logs which can be used for rule testing for + // incoming connections. + // If absent, no shadow matcher will be applied. + xds.type.matcher.v3.Matcher shadow_matcher = 7 [ + (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier", + (xds.annotations.v3.field_status).work_in_progress = true + ]; // If specified, shadow rules will emit stats with the given prefix. // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with