From 78d8f061fe330aa03a3d70e7d21164809bc9912f Mon Sep 17 00:00:00 2001 From: "data-plane-api(Azure Pipelines)" Date: Sat, 6 Mar 2021 00:16:09 +0000 Subject: [PATCH] rbac: support to configure the shadow rule stat with a custom prefix. (#15323) This is useful when there are more than 1 RBAC filter configured with shadow rules to distinguish the shadow stats generated by different filters. Signed-off-by: Yangmin Zhu Mirrored from https://github.com/envoyproxy/envoy @ fa81296e53a040ccebf45bfc6c67044e6d0d8b62 --- envoy/extensions/filters/http/rbac/v3/rbac.proto | 5 +++++ envoy/extensions/filters/http/rbac/v4alpha/rbac.proto | 5 +++++ envoy/extensions/filters/network/rbac/v3/rbac.proto | 6 ++++++ envoy/extensions/filters/network/rbac/v4alpha/rbac.proto | 6 ++++++ 4 files changed, 22 insertions(+) diff --git a/envoy/extensions/filters/http/rbac/v3/rbac.proto b/envoy/extensions/filters/http/rbac/v3/rbac.proto index f7afb962..67cb338e 100644 --- a/envoy/extensions/filters/http/rbac/v3/rbac.proto +++ b/envoy/extensions/filters/http/rbac/v3/rbac.proto @@ -29,6 +29,11 @@ message RBAC { // but will emit stats and logs and can be used for rule testing. // If absent, no shadow RBAC policy will be applied. config.rbac.v3.RBAC shadow_rules = 2; + + // If specified, shadow rules will emit stats with the given prefix. + // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with + // shadow rules. + string shadow_rules_stat_prefix = 3; } message RBACPerRoute { diff --git a/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto b/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto index 0adcfcff..6f1a61e5 100644 --- a/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto +++ b/envoy/extensions/filters/http/rbac/v4alpha/rbac.proto @@ -29,6 +29,11 @@ message RBAC { // but will emit stats and logs and can be used for rule testing. // If absent, no shadow RBAC policy will be applied. config.rbac.v4alpha.RBAC shadow_rules = 2; + + // If specified, shadow rules will emit stats with the given prefix. + // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with + // shadow rules. + string shadow_rules_stat_prefix = 3; } message RBACPerRoute { diff --git a/envoy/extensions/filters/network/rbac/v3/rbac.proto b/envoy/extensions/filters/network/rbac/v3/rbac.proto index 6b8d3b01..e38b0cf4 100644 --- a/envoy/extensions/filters/network/rbac/v3/rbac.proto +++ b/envoy/extensions/filters/network/rbac/v3/rbac.proto @@ -21,6 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // // Header should not be used in rules/shadow_rules in RBAC network filter as // this information is only available in :ref:`RBAC http filter `. +// [#next-free-field: 6] message RBAC { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.rbac.v2.RBAC"; @@ -45,6 +46,11 @@ message RBAC { // If absent, no shadow RBAC policy will be applied. config.rbac.v3.RBAC shadow_rules = 2; + // If specified, shadow rules will emit stats with the given prefix. + // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with + // shadow rules. + string shadow_rules_stat_prefix = 5; + // The prefix to use when emitting statistics. string stat_prefix = 3 [(validate.rules).string = {min_len: 1}]; diff --git a/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto b/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto index a1508997..9e15a86e 100644 --- a/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto +++ b/envoy/extensions/filters/network/rbac/v4alpha/rbac.proto @@ -21,6 +21,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO // // Header should not be used in rules/shadow_rules in RBAC network filter as // this information is only available in :ref:`RBAC http filter `. +// [#next-free-field: 6] message RBAC { option (udpa.annotations.versioning).previous_message_type = "envoy.extensions.filters.network.rbac.v3.RBAC"; @@ -45,6 +46,11 @@ message RBAC { // If absent, no shadow RBAC policy will be applied. config.rbac.v4alpha.RBAC shadow_rules = 2; + // If specified, shadow rules will emit stats with the given prefix. + // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with + // shadow rules. + string shadow_rules_stat_prefix = 5; + // The prefix to use when emitting statistics. string stat_prefix = 3 [(validate.rules).string = {min_len: 1}];