forked from envoyproxy/envoy
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Protos for RBAC support. (envoyproxy#3133)
Added protos to support Role Based Access Control in Envoy. Also removed existing auth.proto because the new RBAC proto is a replacement of it. Ealier discussions at envoyproxy/data-plane-api#586. Signed-off-by: Limin Wang <liminwang@google.com> Signed-off-by: Rama <rama.rao@salesforce.com>
- Loading branch information
1 parent
5a4d5d6
commit 6e02395
Showing
10 changed files
with
219 additions
and
81 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
licenses(["notice"]) # Apache 2 | ||
|
||
load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library") | ||
|
||
api_proto_library( | ||
name = "rbac", | ||
srcs = ["rbac.proto"], | ||
deps = [ | ||
"//envoy/api/v2/core:address", | ||
"//envoy/type:string_match", | ||
], | ||
) | ||
|
||
api_go_proto_library( | ||
name = "rbac", | ||
proto = ":rbac", | ||
deps = [ | ||
"//envoy/api/v2/core:address_go_proto", | ||
"//envoy/type:string_match_go_proto", | ||
], | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,154 @@ | ||
syntax = "proto3"; | ||
|
||
import "validate/validate.proto"; | ||
import "envoy/api/v2/core/address.proto"; | ||
import "envoy/type/string_match.proto"; | ||
|
||
package envoy.config.rbac.v2alpha; | ||
|
||
// Role Based Access Control (RBAC) provides service-level and method-level access control for a service. | ||
// The RBAC engine authorizes a request by evaluating the request context (expressed in the form of | ||
// :ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`) against the RBAC policies. | ||
// | ||
// RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy | ||
// is found (suppose the `action` is ALLOW). | ||
// | ||
// Here is an example of RBAC configuration. It has two policies: | ||
// * Service account "cluster.local/ns/default/sa/admin" has full access (empty permission entry means full access) | ||
// to the service. | ||
// * Any user (empty principal entry means any user) can read ("GET") the service at paths with prefix "/products" or | ||
// suffix "/reviews" when request header "version" set to either "v1" or "v2". | ||
// | ||
// action: ALLOW | ||
// policies: | ||
// "service-admin": | ||
// permissions: | ||
// - | ||
// principals: | ||
// authenticated: | ||
// name: "cluster.local/ns/default/sa/admin" | ||
// "product-viewer": | ||
// permissions: | ||
// - paths: [prefix: "/products", suffix: "/reviews"] | ||
// methods: ["GET"] | ||
// conditions: | ||
// - header: | ||
// key: "version" | ||
// values: [simple: "v1", simple: "v2"] | ||
// principals: | ||
// - | ||
// | ||
message RBAC { | ||
// Should we do white-list or black-list style access control. | ||
enum Action { | ||
// The policies grant access to principals. The rest is denied. This is white-list style | ||
// access control. This is the default type. | ||
ALLOW = 0; | ||
|
||
// The policies deny access to principals. The rest is allowed. This is black-list style | ||
// access control. | ||
DENY = 1; | ||
} | ||
|
||
Action action = 1; | ||
|
||
// Maps from policy name to policy. | ||
map<string, Policy> policies = 2; | ||
} | ||
|
||
// Policy specifies a role and the principals that are assigned/denied the role. | ||
message Policy { | ||
// Required. The set of permissions that define a role. | ||
repeated Permission permissions = 1 [(validate.rules).repeated .min_items = 1]; | ||
|
||
// Required. List of principals that are assigned/denied the role based on “action”. | ||
repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1]; | ||
} | ||
|
||
// Specifies how to match an entry in a map. | ||
message MapEntryMatch { | ||
// The key to select an entry from the map. | ||
string key = 1; | ||
|
||
// A list of matched values. | ||
repeated envoy.type.StringMatch values = 2; | ||
} | ||
|
||
// Specifies how to match IP addresses. | ||
message IpMatch { | ||
// IP addresses in CIDR notation. | ||
repeated envoy.api.v2.core.CidrRange cidrs = 1; | ||
} | ||
|
||
// Specifies how to match ports. | ||
message PortMatch { | ||
// Port numbers. | ||
repeated uint32 ports = 1; | ||
} | ||
|
||
// Permission defines a permission to access the service. | ||
message Permission { | ||
// Optional. A list of HTTP paths or gRPC methods. | ||
// gRPC methods must be presented as fully-qualified name in the form of | ||
// packageName.serviceName/methodName. | ||
// If this field is unset, it applies to any path. | ||
repeated envoy.type.StringMatch paths = 1; | ||
|
||
// Required. A list of HTTP methods (e.g., "GET", "POST"). | ||
// If this field is unset, it applies to any method. | ||
repeated string methods = 2; | ||
|
||
// Definition of a custom condition. | ||
message Condition { | ||
oneof condition_spec { | ||
// Header match. This matches to the "request.http.headers" field in | ||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. | ||
// The map key is the header name. The header specifies how the service is accessed. | ||
MapEntryMatch header = 1; | ||
|
||
// Destination IP addresses. | ||
IpMatch destination_ips = 2; | ||
|
||
// Destination ports. | ||
PortMatch destination_ports = 3; | ||
} | ||
} | ||
|
||
// Optional. Custom conditions. | ||
repeated Condition conditions = 3; | ||
} | ||
|
||
// Principal defines an identity or a group of identities. | ||
message Principal { | ||
// Authentication attributes for principal. These could be filled out inside RBAC filter. | ||
// Or if an authentication filter is used, they can be provided by the authentication filter. | ||
message Authenticated { | ||
// Optional. The name of the principal. This matches to the "source.principal" field in | ||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. | ||
// If unset, it applies to any user. | ||
string name = 1; | ||
} | ||
|
||
// Optional. Authenticated attributes that identify the principal. | ||
Authenticated authenticated = 1; | ||
|
||
// Definition of a custom attribute to identify the principal. | ||
message Attribute { | ||
oneof attribute_spec { | ||
// Source service name. This matches to the "source.service" field in | ||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. | ||
string service = 1; | ||
|
||
// Source IP addresses. | ||
IpMatch source_ips = 2; | ||
|
||
// Header match. This matches to the "request.http.headers" field in | ||
// ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. | ||
// The map "key" is the header name. The header identifies the client. | ||
MapEntryMatch header = 3; | ||
} | ||
} | ||
|
||
// Optional. Custom attributes that identify the principal. | ||
repeated Attribute attributes = 2; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
syntax = "proto3"; | ||
|
||
package envoy.type; | ||
option go_package = "envoy_type"; | ||
|
||
import "gogoproto/gogo.proto"; | ||
|
||
option (gogoproto.equal_all) = true; | ||
|
||
// [#protodoc-title: StringMatch] | ||
|
||
// Specifies the way to match a string. | ||
message StringMatch { | ||
oneof match_pattern { | ||
// The input string must match exactly the string specified here. | ||
// Or it is a "*", which means that it matches any string. | ||
string simple = 1; | ||
|
||
// The input string must have the prefix specified here. | ||
string prefix = 2; | ||
|
||
// The input string must have the suffix specified here. | ||
string suffix = 3; | ||
|
||
// The input string must match the regular expression specified here. | ||
// The regex grammar is defined `here | ||
// <http://en.cppreference.com/w/cpp/regex/ecmascript>`_. | ||
string regex = 4; | ||
} | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters