1syntax = "proto3";
2
3package envoy.config.rbac.v4alpha;
4
5import "envoy/config/core/v4alpha/address.proto";
6import "envoy/config/route/v4alpha/route_components.proto";
7import "envoy/type/matcher/v4alpha/metadata.proto";
8import "envoy/type/matcher/v4alpha/path.proto";
9import "envoy/type/matcher/v4alpha/string.proto";
10
11import "google/api/expr/v1alpha1/checked.proto";
12import "google/api/expr/v1alpha1/syntax.proto";
13
14import "udpa/annotations/status.proto";
15import "udpa/annotations/versioning.proto";
16import "validate/validate.proto";
17
18option java_package = "io.envoyproxy.envoy.config.rbac.v4alpha";
19option java_outer_classname = "RbacProto";
20option java_multiple_files = true;
21option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
22
23// [#protodoc-title: Role Based Access Control (RBAC)]
24
25// Role Based Access Control (RBAC) provides service-level and method-level access control for a
26// service. RBAC policies are additive. The policies are examined in order. Requests are allowed
27// or denied based on the `action` and whether a matching policy is found. For instance, if the
28// action is ALLOW and a matching policy is found the request should be allowed.
29//
30// RBAC can also be used to make access logging decisions by communicating with access loggers
31// through dynamic metadata. When the action is LOG and at least one policy matches, the
32// `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating
33// the request should be logged.
34//
35// Here is an example of RBAC configuration. It has two policies:
36//
37// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
38// does "cluster.local/ns/default/sa/superuser".
39//
40// * Any user can read ("GET") the service at paths with prefix "/products", so long as the
41// destination port is either 80 or 443.
42//
43// .. code-block:: yaml
44//
45// action: ALLOW
46// policies:
47// "service-admin":
48// permissions:
49// - any: true
50// principals:
51// - authenticated:
52// principal_name:
53// exact: "cluster.local/ns/default/sa/admin"
54// - authenticated:
55// principal_name:
56// exact: "cluster.local/ns/default/sa/superuser"
57// "product-viewer":
58// permissions:
59// - and_rules:
60// rules:
61// - header: { name: ":method", exact_match: "GET" }
62// - url_path:
63// path: { prefix: "/products" }
64// - or_rules:
65// rules:
66// - destination_port: 80
67// - destination_port: 443
68// principals:
69// - any: true
70//
71message RBAC {
72 option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.RBAC";
73
74 // Should we do safe-list or block-list style access control?
75 enum Action {
76 // The policies grant access to principals. The rest are denied. This is safe-list style
77 // access control. This is the default type.
78 ALLOW = 0;
79
80 // The policies deny access to principals. The rest are allowed. This is block-list style
81 // access control.
82 DENY = 1;
83
84 // The policies set the `access_log_hint` dynamic metadata key based on if requests match.
85 // All requests are allowed.
86 LOG = 2;
87 }
88
89 // The action to take if a policy matches. Every action either allows or denies a request,
90 // and can also carry out action-specific operations.
91 //
92 // Actions:
93 //
94 // * ALLOW: Allows the request if and only if there is a policy that matches
95 // the request.
96 // * DENY: Allows the request if and only if there are no policies that
97 // match the request.
98 // * LOG: Allows all requests. If at least one policy matches, the dynamic
99 // metadata key `access_log_hint` is set to the value `true` under the shared
100 // key namespace 'envoy.common'. If no policies match, it is set to `false`.
101 // Other actions do not modify this key.
102 //
103 Action action = 1 [(validate.rules).enum = {defined_only: true}];
104
105 // Maps from policy name to policy. A match occurs when at least one policy matches the request.
106 map<string, Policy> policies = 2;
107}
108
109// Policy specifies a role and the principals that are assigned/denied the role.
110// A policy matches if and only if at least one of its permissions match the
111// action taking place AND at least one of its principals match the downstream
112// AND the condition is true if specified.
113message Policy {
114 option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Policy";
115
116 // Required. The set of permissions that define a role. Each permission is
117 // matched with OR semantics. To match all actions for this policy, a single
118 // Permission with the `any` field set to true should be used.
119 repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}];
120
121 // Required. The set of principals that are assigned/denied the role based on
122 // “action”. Each principal is matched with OR semantics. To match all
123 // downstreams for this policy, a single Principal with the `any` field set to
124 // true should be used.
125 repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}];
126
127 oneof expression_specifier {
128 // An optional symbolic expression specifying an access control
129 // :ref:`condition <arch_overview_condition>`. The condition is combined
130 // with the permissions and the principals as a clause with AND semantics.
131 // Only be used when checked_condition is not used.
132 google.api.expr.v1alpha1.Expr condition = 3;
133
134 // [#not-implemented-hide:]
135 // An optional symbolic expression that has been successfully type checked.
136 // Only be used when condition is not used.
137 google.api.expr.v1alpha1.CheckedExpr checked_condition = 4;
138 }
139}
140
141// Permission defines an action (or actions) that a principal can take.
142// [#next-free-field: 11]
143message Permission {
144 option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Permission";
145
146 // Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context,
147 // each are applied with the associated behavior.
148 message Set {
149 option (udpa.annotations.versioning).previous_message_type =
150 "envoy.config.rbac.v3.Permission.Set";
151
152 repeated Permission rules = 1 [(validate.rules).repeated = {min_items: 1}];
153 }
154
155 oneof rule {
156 option (validate.required) = true;
157
158 // A set of rules that all must match in order to define the action.
159 Set and_rules = 1;
160
161 // A set of rules where at least one must match in order to define the action.
162 Set or_rules = 2;
163
164 // When any is set, it matches any action.
165 bool any = 3 [(validate.rules).bool = {const: true}];
166
167 // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
168 // available for HTTP request.
169 // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
170 // field if you want to match the URL path without the query and fragment string.
171 route.v4alpha.HeaderMatcher header = 4;
172
173 // A URL path on the incoming HTTP request. Only available for HTTP.
174 type.matcher.v4alpha.PathMatcher url_path = 10;
175
176 // A CIDR block that describes the destination IP.
177 core.v4alpha.CidrRange destination_ip = 5;
178
179 // A port number that describes the destination port connecting to.
180 uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}];
181
182 // Metadata that describes additional information about the action.
183 type.matcher.v4alpha.MetadataMatcher metadata = 7;
184
185 // Negates matching the provided permission. For instance, if the value of
186 // `not_rule` would match, this permission would not match. Conversely, if
187 // the value of `not_rule` would not match, this permission would match.
188 Permission not_rule = 8;
189
190 // The request server from the client's connection request. This is
191 // typically TLS SNI.
192 //
193 // .. attention::
194 //
195 // The behavior of this field may be affected by how Envoy is configured
196 // as explained below.
197 //
198 // * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
199 // filter is not added, and if a `FilterChainMatch` is not defined for
200 // the :ref:`server name
201 // <envoy_api_field_config.listener.v4alpha.FilterChainMatch.server_names>`,
202 // a TLS connection's requested SNI server name will be treated as if it
203 // wasn't present.
204 //
205 // * A :ref:`listener filter <arch_overview_listener_filters>` may
206 // overwrite a connection's requested server name within Envoy.
207 //
208 // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
209 // setup SNI.
210 type.matcher.v4alpha.StringMatcher requested_server_name = 9;
211 }
212}
213
214// Principal defines an identity or a group of identities for a downstream
215// subject.
216// [#next-free-field: 12]
217message Principal {
218 option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Principal";
219
220 // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof.
221 // Depending on the context, each are applied with the associated behavior.
222 message Set {
223 option (udpa.annotations.versioning).previous_message_type =
224 "envoy.config.rbac.v3.Principal.Set";
225
226 repeated Principal ids = 1 [(validate.rules).repeated = {min_items: 1}];
227 }
228
229 // Authentication attributes for a downstream.
230 message Authenticated {
231 option (udpa.annotations.versioning).previous_message_type =
232 "envoy.config.rbac.v3.Principal.Authenticated";
233
234 reserved 1;
235
236 // The name of the principal. If set, The URI SAN or DNS SAN in that order
237 // is used from the certificate, otherwise the subject field is used. If
238 // unset, it applies to any user that is authenticated.
239 type.matcher.v4alpha.StringMatcher principal_name = 2;
240 }
241
242 reserved 5;
243
244 reserved "source_ip";
245
246 oneof identifier {
247 option (validate.required) = true;
248
249 // A set of identifiers that all must match in order to define the
250 // downstream.
251 Set and_ids = 1;
252
253 // A set of identifiers at least one must match in order to define the
254 // downstream.
255 Set or_ids = 2;
256
257 // When any is set, it matches any downstream.
258 bool any = 3 [(validate.rules).bool = {const: true}];
259
260 // Authenticated attributes that identify the downstream.
261 Authenticated authenticated = 4;
262
263 // A CIDR block that describes the downstream remote/origin address.
264 // Note: This is always the physical peer even if the
265 // :ref:`remote_ip <envoy_api_field_config.rbac.v4alpha.Principal.remote_ip>` is
266 // inferred from for example the x-forwarder-for header, proxy protocol,
267 // etc.
268 core.v4alpha.CidrRange direct_remote_ip = 10;
269
270 // A CIDR block that describes the downstream remote/origin address.
271 // Note: This may not be the physical peer and could be different from the
272 // :ref:`direct_remote_ip
273 // <envoy_api_field_config.rbac.v4alpha.Principal.direct_remote_ip>`. E.g, if the
274 // remote ip is inferred from for example the x-forwarder-for header, proxy
275 // protocol, etc.
276 core.v4alpha.CidrRange remote_ip = 11;
277
278 // A header (or pseudo-header such as :path or :method) on the incoming HTTP
279 // request. Only available for HTTP request. Note: the pseudo-header :path
280 // includes the query and fragment string. Use the `url_path` field if you
281 // want to match the URL path without the query and fragment string.
282 route.v4alpha.HeaderMatcher header = 6;
283
284 // A URL path on the incoming HTTP request. Only available for HTTP.
285 type.matcher.v4alpha.PathMatcher url_path = 9;
286
287 // Metadata that describes additional information about the principal.
288 type.matcher.v4alpha.MetadataMatcher metadata = 7;
289
290 // Negates matching the provided principal. For instance, if the value of
291 // `not_id` would match, this principal would not match. Conversely, if the
292 // value of `not_id` would not match, this principal would match.
293 Principal not_id = 8;
294 }
295}
View as plain text