Chiebot-Mirror
/
data-plane-api
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

rbac: update the authenticated.user to a StringMatcher. (#4250)

Browse Source 
This PR added a new principal_name of type StringMatcher to rbac Authenticated and mark the existing user field as deprecated. This gives us more flexibility to express more matching rules against peer certificate.

Risk Level: Low
Testing: Added unit tests

Signed-off-by: Yangmin Zhu <ymzhu@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 5d731878fd0134ca15d5904450a64dab0ff577a9
pull/620/head
data-plane-api(CircleCI) 7 years ago
parent 3278cea2a8
commit a29483497d
2 changed files with 14 additions and 4 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      envoy/config/rbac/v2alpha/BUILD
  2. 16
      envoy/config/rbac/v2alpha/rbac.proto

2
envoy/config/rbac/v2alpha/BUILD
Unescape View File

@ -10,6 +10,7 @@ api_proto_library_internal(
"//envoy/api/v2/core:address", "//envoy/api/v2/core:address",
"//envoy/api/v2/route", "//envoy/api/v2/route",
"//envoy/type/matcher:metadata", "//envoy/type/matcher:metadata",
"//envoy/type/matcher:string",
], ],
) )
@ -20,5 +21,6 @@ api_go_proto_library(
"//envoy/api/v2/core:address_go_proto", "//envoy/api/v2/core:address_go_proto",
"//envoy/api/v2/route:route_go_proto", "//envoy/api/v2/route:route_go_proto",
"//envoy/type/matcher:metadata_go_proto", "//envoy/type/matcher:metadata_go_proto",
"//envoy/type/matcher:string_go_proto",
], ],
) )

16
envoy/config/rbac/v2alpha/rbac.proto
Unescape View File

@ -4,6 +4,7 @@ import "validate/validate.proto";
import "envoy/api/v2/core/address.proto"; import "envoy/api/v2/core/address.proto";
import "envoy/api/v2/route/route.proto"; import "envoy/api/v2/route/route.proto";
import "envoy/type/matcher/metadata.proto"; import "envoy/type/matcher/metadata.proto";
import "envoy/type/matcher/string.proto";
package envoy.config.rbac.v2alpha; package envoy.config.rbac.v2alpha;
option go_package = "v2alpha"; option go_package = "v2alpha";
@ -30,8 +31,12 @@ option go_package = "v2alpha";
// permissions: // permissions:
// - any: true // - any: true
// principals: // principals:
// - authenticated: { name: "cluster.local/ns/default/sa/admin" } // - authenticated:
// - authenticated: { name: "cluster.local/ns/default/sa/superuser" } // principal_name:
// exact: "cluster.local/ns/default/sa/admin"
// - authenticated:
// principal_name:
// exact: "cluster.local/ns/default/sa/superuser"
// "product-viewer": // "product-viewer":
// permissions: // permissions:
// - and_rules: // - and_rules:
@ -135,9 +140,12 @@ message Principal {
// Authentication attributes for a downstream. // Authentication attributes for a downstream.
message Authenticated { message Authenticated {
// The name of the principal. If set, the URI SAN is used from the certificate, otherwise the reserved 1;
reserved "name";
// The name of the principal. If set, The URI SAN is used from the certificate, otherwise the
// subject field is used. If unset, it applies to any user that is authenticated. // subject field is used. If unset, it applies to any user that is authenticated.
string name = 1; envoy.type.matcher.StringMatcher principal_name = 2;
} }
oneof identifier { oneof identifier {

Write Preview
Loading…
Cancel
Save