rbac: add rbac network filter. (#4083)

Signed-off-by: Yangmin Zhu <ymzhu@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ c283439b6b020df64e6a1af4b3ab41d4099f4738

docs/BUILD

@@ -47,6 +47,7 @@ proto_library(
         "//envoy/config/filter/network/http_connection_manager/v2:http_connection_manager",
         "//envoy/config/filter/network/mongo_proxy/v2:mongo_proxy",
         "//envoy/config/filter/network/rate_limit/v2:rate_limit",
+        "//envoy/config/filter/network/rbac/v2:rbac",
         "//envoy/config/filter/network/redis_proxy/v2:redis_proxy",
         "//envoy/config/filter/network/tcp_proxy/v2:tcp_proxy",
         "//envoy/config/grpc_credential/v2alpha:file_based_metadata",

envoy/config/filter/http/rbac/v2/rbac.proto

@@ -19,7 +19,7 @@ message RBAC {
 
   // Shadow rules are not enforced by the filter (i.e., returning a 403)
   // but will emit stats and logs and can be used for rule testing.
-  // If absent, no shadow RBAC policy with be applied.
+  // If absent, no shadow RBAC policy will be applied.
   config.rbac.v2alpha.RBAC shadow_rules = 2;
 }
 

envoy/config/filter/network/rbac/v2/BUILD

@@ -0,0 +1,9 @@
+load("//bazel:api_build_system.bzl", "api_proto_library_internal")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library_internal(
+    name = "rbac",
+    srcs = ["rbac.proto"],
+    deps = ["//envoy/config/rbac/v2alpha:rbac"],
+)

envoy/config/filter/network/rbac/v2/rbac.proto

@@ -0,0 +1,30 @@
+syntax = "proto3";
+
+package envoy.config.filter.network.rbac.v2;
+option go_package = "v2";
+
+import "envoy/config/rbac/v2alpha/rbac.proto";
+
+import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+// [#protodoc-title: RBAC]
+// Role-Based Access Control :ref:`configuration overview <config_network_filters_rbac>`.
+
+// RBAC network filter config.
+//
+// Header and Metadata should not be used in rules/shadow_rules in RBAC network filter as
+// this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`.
+message RBAC {
+  // Specify the RBAC rules to be applied globally.
+  // If absent, no enforcing RBAC policy will be applied.
+  config.rbac.v2alpha.RBAC rules = 1;
+
+  // Shadow rules are not enforced by the filter but will emit stats and logs
+  // and can be used for rule testing.
+  // If absent, no shadow RBAC policy will be applied.
+  config.rbac.v2alpha.RBAC shadow_rules = 2;
+
+  // The prefix to use when emitting statistics.
+  string stat_prefix = 3 [(validate.rules).string.min_bytes = 1];
+}

envoy/config/rbac/v2alpha/rbac.proto

@@ -103,7 +103,8 @@ message Permission {
     // When any is set, it matches any action.
     bool any = 3 [(validate.rules).bool.const = true];
 
-    // A header (or psuedo-header such as :path or :method) on the incoming HTTP request.
+    // A header (or psuedo-header such as :path or :method) on the incoming HTTP request. Only
+    // available for HTTP request.
     envoy.api.v2.route.HeaderMatcher header = 4;
 
     // A CIDR block that describes the destination IP.
@@ -112,7 +113,8 @@ message Permission {
     // A port number that describes the destination port connecting to.
     uint32 destination_port = 6 [(validate.rules).uint32.lte = 65535];
 
-    // Metadata that describes additional information about the action.
+    // Metadata that describes additional information about the action. Only available for HTTP
+    // request.
     envoy.type.matcher.MetadataMatcher metadata = 7;
 
     // Negates matching the provided permission. For instance, if the value of `not_rule` would
@@ -156,10 +158,12 @@ message Principal {
     // A CIDR block that describes the downstream IP.
     envoy.api.v2.core.CidrRange source_ip = 5;
 
-    // A header (or psuedo-header such as :path or :method) on the incoming HTTP request.
+    // A header (or psuedo-header such as :path or :method) on the incoming HTTP request. Only
+    // available for HTTP request.
     envoy.api.v2.route.HeaderMatcher header = 6;
 
-    // Metadata that describes additional information about the principal.
+    // Metadata that describes additional information about the principal. Only available for HTTP
+    // request.
     envoy.type.matcher.MetadataMatcher metadata = 7;
 
     // Negates matching the provided principal. For instance, if the value of `not_id` would match,