rbac: add unified matcher for RBAC filters (#20877)

Signed-off-by: Xie Zhihao zhihao.xie@intel.com Commit Message: rbac: add unified matcher for RBAC filters Additional Description: The patch add the matching API support for both RBAC network filter and HTTP filter. Users can configure rules and shadow rules in either policies or the matching API manner. There are some incompatibilities, TODOs and behavior changes compared to the policies way. RBAC matchers are not compatible with the matching API. URL path and CEL are not supported in the matching API. These matchers may come as custom matcher. Metadata is not supported in the matching API. These matchers may come as inputs. Connections and requests with no matcher matched will always be denied. Risk Level: Medium Testing: Unit and integration Docs Changes: API and configuration Release Notes: WIP Platform Specific Features: N/A Fixes #20623 Mirrored from https://github.com/envoyproxy/envoy @ 42cb84456d53d053eb1ae94680d07a74f4545a48
3 years ago · 734944dcd5
parent 3d4728d32a
commit 734944dcd5
6 changed files with 97 additions and 7 deletions
--- a/bazel/external_proto_deps.bzl
+++ b/bazel/external_proto_deps.bzl
@ -19,8 +19,17 @@ EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = {

 # This maps from the Bazel proto_library target to the Go language binding target for external dependencies.
 EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = {
-    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
-    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
+    # Note @com_google_googleapis are point to @go_googleapis.
+    #
+    # It is aligned to xDS dependency to suppress the conflicting package heights error between
+    # @com_github_cncf_udpa//xds/type/matcher/v3:pkg_go_proto
+    # @envoy_api//envoy/config/rbac/v3:pkg_go_proto
+    #
+    # TODO(https://github.com/bazelbuild/rules_go/issues/1986): update to
+    #    @com_google_googleapis when the bug is resolved. Also see the note to
+    #    go_googleapis in https://github.com/bazelbuild/rules_go/blob/master/go/dependencies.rst#overriding-dependencies
+    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto",
+    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_go",
    "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_and_config_proto_go",
    "@opentelemetry_proto//:logs": "@opentelemetry_proto//:logs_go_proto",
--- a/envoy/config/rbac/v3/rbac.proto
+++ b/envoy/config/rbac/v3/rbac.proto
@ -310,3 +310,29 @@ message Principal {
    Principal not_id = 8;
  }
 }
+
+// Action defines the result of allowance or denial when a request matches the matcher.
+message Action {
+  // The name indicates the policy name.
+  string name = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The action to take if the matcher matches. Every action either allows or denies a request,
+  // and can also carry out action-specific operations.
+  //
+  // Actions:
+  //
+  //  * ALLOW: If the request gets matched on ALLOW, it is permitted.
+  //  * DENY: If the request gets matched on DENY, it is not permitted.
+  //  * LOG: If the request gets matched on LOG, it is permitted. Besides, the
+  //    dynamic metadata key `access_log_hint` under the shared key namespace
+  //    'envoy.common' will be set to the value `true`.
+  //  * If the request cannot get matched, it will fallback to DENY.
+  //
+  // Log behavior:
+  //
+  //  If the RBAC matcher contains at least one LOG action, the dynamic
+  //  metadata key `access_log_hint` will be set based on if the request
+  //  get matched on the LOG action.
+  //
+  RBAC.Action action = 2;
+}
--- a/envoy/extensions/filters/http/rbac/v3/BUILD
+++ b/envoy/extensions/filters/http/rbac/v3/BUILD
@ -8,5 +8,7 @@ api_proto_package(
    deps = [
        "//envoy/config/rbac/v3:pkg",
        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_udpa//xds/annotations/v3:pkg",
+        "@com_github_cncf_udpa//xds/type/matcher/v3:pkg",
    ],
 )
--- a/envoy/extensions/filters/http/rbac/v3/rbac.proto
+++ b/envoy/extensions/filters/http/rbac/v3/rbac.proto
@ -4,6 +4,10 @@ package envoy.extensions.filters.http.rbac.v3;

 import "envoy/config/rbac/v3/rbac.proto";

+import "xds/annotations/v3/status.proto";
+import "xds/type/matcher/v3/matcher.proto";
+
+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";

@ -18,6 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.rbac]

 // RBAC filter config.
+// [#next-free-field: 6]
 message RBAC {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.http.rbac.v2.RBAC";
@ -25,12 +30,33 @@ message RBAC {
  // Specify the RBAC rules to be applied globally.
  // If absent, no enforcing RBAC policy will be applied.
  // If present and empty, DENY.
-  config.rbac.v3.RBAC rules = 1;
+  // If both rules and matcher are configured, rules will be ignored.
+  config.rbac.v3.RBAC rules = 1
+      [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];
+
+  // The match tree to use when resolving RBAC action for incoming requests. Requests do not
+  // match any matcher will be denied.
+  // If absent, no enforcing RBAC matcher will be applied.
+  // If present and empty, deny all requests.
+  xds.type.matcher.v3.Matcher matcher = 4 [
+    (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier",
+    (xds.annotations.v3.field_status).work_in_progress = true
+  ];

  // Shadow rules are not enforced by the filter (i.e., returning a 403)
  // but will emit stats and logs and can be used for rule testing.
  // If absent, no shadow RBAC policy will be applied.
-  config.rbac.v3.RBAC shadow_rules = 2;
+  // If both shadow rules and shadow matcher are configured, shadow rules will be ignored.
+  config.rbac.v3.RBAC shadow_rules = 2
+      [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"];
+
+  // The match tree to use for emitting stats and logs which can be used for rule testing for
+  // incoming requests.
+  // If absent, no shadow matcher will be applied.
+  xds.type.matcher.v3.Matcher shadow_matcher = 5 [
+    (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier",
+    (xds.annotations.v3.field_status).work_in_progress = true
+  ];

  // If specified, shadow rules will emit stats with the given prefix.
  // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
--- a/envoy/extensions/filters/network/rbac/v3/BUILD
+++ b/envoy/extensions/filters/network/rbac/v3/BUILD
@ -8,5 +8,7 @@ api_proto_package(
    deps = [
        "//envoy/config/rbac/v3:pkg",
        "@com_github_cncf_udpa//udpa/annotations:pkg",
+        "@com_github_cncf_udpa//xds/annotations/v3:pkg",
+        "@com_github_cncf_udpa//xds/type/matcher/v3:pkg",
    ],
 )
--- a/envoy/extensions/filters/network/rbac/v3/rbac.proto
+++ b/envoy/extensions/filters/network/rbac/v3/rbac.proto
@ -4,6 +4,10 @@ package envoy.extensions.filters.network.rbac.v3;

 import "envoy/config/rbac/v3/rbac.proto";

+import "xds/annotations/v3/status.proto";
+import "xds/type/matcher/v3/matcher.proto";
+
+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -22,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 //
 // Header should not be used in rules/shadow_rules in RBAC network filter as
 // this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`.
-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message RBAC {
  option (udpa.annotations.versioning).previous_message_type =
      "envoy.config.filter.network.rbac.v2.RBAC";
@ -41,12 +45,33 @@ message RBAC {
  // Specify the RBAC rules to be applied globally.
  // If absent, no enforcing RBAC policy will be applied.
  // If present and empty, DENY.
-  config.rbac.v3.RBAC rules = 1;
+  // If both rules and matcher are configured, rules will be ignored.
+  config.rbac.v3.RBAC rules = 1
+      [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];
+
+  // The match tree to use when resolving RBAC action for incoming connections. Connections do
+  // not match any matcher will be denied.
+  // If absent, no enforcing RBAC matcher will be applied.
+  // If present and empty, deny all connections.
+  xds.type.matcher.v3.Matcher matcher = 6 [
+    (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier",
+    (xds.annotations.v3.field_status).work_in_progress = true
+  ];

  // Shadow rules are not enforced by the filter but will emit stats and logs
  // and can be used for rule testing.
  // If absent, no shadow RBAC policy will be applied.
-  config.rbac.v3.RBAC shadow_rules = 2;
+  // If both shadow rules and shadow matcher are configured, shadow rules will be ignored.
+  config.rbac.v3.RBAC shadow_rules = 2
+      [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"];
+
+  // The match tree to use for emitting stats and logs which can be used for rule testing for
+  // incoming connections.
+  // If absent, no shadow matcher will be applied.
+  xds.type.matcher.v3.Matcher shadow_matcher = 7 [
+    (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier",
+    (xds.annotations.v3.field_status).work_in_progress = true
+  ];

  // If specified, shadow rules will emit stats with the given prefix.
  // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with