rbac: update the authenticated.user to a StringMatcher. (#4250)

This PR added a new principal_name of type StringMatcher to rbac Authenticated and mark the existing user field as deprecated. This gives us more flexibility to express more matching rules against peer certificate. Risk Level: Low Testing: Added unit tests Signed-off-by: Yangmin Zhu <ymzhu@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 5d731878fd0134ca15d5904450a64dab0ff577a9
6 years ago · a29483497d
parent 3278cea2a8
commit a29483497d
2 changed files with 14 additions and 4 deletions
--- a/envoy/config/rbac/v2alpha/BUILD
+++ b/envoy/config/rbac/v2alpha/BUILD
@ -10,6 +10,7 @@ api_proto_library_internal(
        "//envoy/api/v2/core:address",
        "//envoy/api/v2/route",
        "//envoy/type/matcher:metadata",
+        "//envoy/type/matcher:string",
    ],
 )

@ -20,5 +21,6 @@ api_go_proto_library(
        "//envoy/api/v2/core:address_go_proto",
        "//envoy/api/v2/route:route_go_proto",
        "//envoy/type/matcher:metadata_go_proto",
+        "//envoy/type/matcher:string_go_proto",
    ],
 )
--- a/envoy/config/rbac/v2alpha/rbac.proto
+++ b/envoy/config/rbac/v2alpha/rbac.proto
@ -4,6 +4,7 @@ import "validate/validate.proto";
 import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/route/route.proto";
 import "envoy/type/matcher/metadata.proto";
+import "envoy/type/matcher/string.proto";

 package envoy.config.rbac.v2alpha;
 option go_package = "v2alpha";
@ -30,8 +31,12 @@ option go_package = "v2alpha";
 //       permissions:
 //         - any: true
 //       principals:
-//         - authenticated: { name: "cluster.local/ns/default/sa/admin" }
-//         - authenticated: { name: "cluster.local/ns/default/sa/superuser" }
+//         - authenticated:
+//             principal_name:
+//               exact: "cluster.local/ns/default/sa/admin"
+//         - authenticated:
+//             principal_name:
+//               exact: "cluster.local/ns/default/sa/superuser"
 //     "product-viewer":
 //       permissions:
 //           - and_rules:
@ -135,9 +140,12 @@ message Principal {

  // Authentication attributes for a downstream.
  message Authenticated {
-    // The name of the principal. If set, the URI SAN is used from the certificate, otherwise the
+    reserved 1;
+    reserved "name";
+
+    // The name of the principal. If set, The URI SAN is used from the certificate, otherwise the
    // subject field is used. If unset, it applies to any user that is authenticated.
-    string name = 1;
+    envoy.type.matcher.StringMatcher principal_name = 2;
  }

  oneof identifier {