...

Text file src/github.com/datawire/ambassador/v2/api/envoy/config/rbac/v4alpha/rbac.proto

Documentation: github.com/datawire/ambassador/v2/api/envoy/config/rbac/v4alpha

     1syntax = "proto3";
     2
     3package envoy.config.rbac.v4alpha;
     4
     5import "envoy/config/core/v4alpha/address.proto";
     6import "envoy/config/route/v4alpha/route_components.proto";
     7import "envoy/type/matcher/v4alpha/metadata.proto";
     8import "envoy/type/matcher/v4alpha/path.proto";
     9import "envoy/type/matcher/v4alpha/string.proto";
    10
    11import "google/api/expr/v1alpha1/checked.proto";
    12import "google/api/expr/v1alpha1/syntax.proto";
    13
    14import "udpa/annotations/status.proto";
    15import "udpa/annotations/versioning.proto";
    16import "validate/validate.proto";
    17
    18option java_package = "io.envoyproxy.envoy.config.rbac.v4alpha";
    19option java_outer_classname = "RbacProto";
    20option java_multiple_files = true;
    21option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
    22
    23// [#protodoc-title: Role Based Access Control (RBAC)]
    24
    25// Role Based Access Control (RBAC) provides service-level and method-level access control for a
    26// service. RBAC policies are additive. The policies are examined in order. Requests are allowed
    27// or denied based on the `action` and whether a matching policy is found. For instance, if the
    28// action is ALLOW and a matching policy is found the request should be allowed.
    29//
    30// RBAC can also be used to make access logging decisions by communicating with access loggers
    31// through dynamic metadata. When the action is LOG and at least one policy matches, the
    32// `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating
    33// the request should be logged.
    34//
    35// Here is an example of RBAC configuration. It has two policies:
    36//
    37// * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
    38//   does "cluster.local/ns/default/sa/superuser".
    39//
    40// * Any user can read ("GET") the service at paths with prefix "/products", so long as the
    41//   destination port is either 80 or 443.
    42//
    43//  .. code-block:: yaml
    44//
    45//   action: ALLOW
    46//   policies:
    47//     "service-admin":
    48//       permissions:
    49//         - any: true
    50//       principals:
    51//         - authenticated:
    52//             principal_name:
    53//               exact: "cluster.local/ns/default/sa/admin"
    54//         - authenticated:
    55//             principal_name:
    56//               exact: "cluster.local/ns/default/sa/superuser"
    57//     "product-viewer":
    58//       permissions:
    59//           - and_rules:
    60//               rules:
    61//                 - header: { name: ":method", exact_match: "GET" }
    62//                 - url_path:
    63//                     path: { prefix: "/products" }
    64//                 - or_rules:
    65//                     rules:
    66//                       - destination_port: 80
    67//                       - destination_port: 443
    68//       principals:
    69//         - any: true
    70//
    71message RBAC {
    72  option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.RBAC";
    73
    74  // Should we do safe-list or block-list style access control?
    75  enum Action {
    76    // The policies grant access to principals. The rest are denied. This is safe-list style
    77    // access control. This is the default type.
    78    ALLOW = 0;
    79
    80    // The policies deny access to principals. The rest are allowed. This is block-list style
    81    // access control.
    82    DENY = 1;
    83
    84    // The policies set the `access_log_hint` dynamic metadata key based on if requests match.
    85    // All requests are allowed.
    86    LOG = 2;
    87  }
    88
    89  // The action to take if a policy matches. Every action either allows or denies a request,
    90  // and can also carry out action-specific operations.
    91  //
    92  // Actions:
    93  //
    94  //  * ALLOW: Allows the request if and only if there is a policy that matches
    95  //    the request.
    96  //  * DENY: Allows the request if and only if there are no policies that
    97  //    match the request.
    98  //  * LOG: Allows all requests. If at least one policy matches, the dynamic
    99  //    metadata key `access_log_hint` is set to the value `true` under the shared
   100  //    key namespace 'envoy.common'. If no policies match, it is set to `false`.
   101  //    Other actions do not modify this key.
   102  //
   103  Action action = 1 [(validate.rules).enum = {defined_only: true}];
   104
   105  // Maps from policy name to policy. A match occurs when at least one policy matches the request.
   106  map<string, Policy> policies = 2;
   107}
   108
   109// Policy specifies a role and the principals that are assigned/denied the role.
   110// A policy matches if and only if at least one of its permissions match the
   111// action taking place AND at least one of its principals match the downstream
   112// AND the condition is true if specified.
   113message Policy {
   114  option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Policy";
   115
   116  // Required. The set of permissions that define a role. Each permission is
   117  // matched with OR semantics. To match all actions for this policy, a single
   118  // Permission with the `any` field set to true should be used.
   119  repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}];
   120
   121  // Required. The set of principals that are assigned/denied the role based on
   122  // “action”. Each principal is matched with OR semantics. To match all
   123  // downstreams for this policy, a single Principal with the `any` field set to
   124  // true should be used.
   125  repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}];
   126
   127  oneof expression_specifier {
   128    // An optional symbolic expression specifying an access control
   129    // :ref:`condition <arch_overview_condition>`. The condition is combined
   130    // with the permissions and the principals as a clause with AND semantics.
   131    // Only be used when checked_condition is not used.
   132    google.api.expr.v1alpha1.Expr condition = 3;
   133
   134    // [#not-implemented-hide:]
   135    // An optional symbolic expression that has been successfully type checked.
   136    // Only be used when condition is not used.
   137    google.api.expr.v1alpha1.CheckedExpr checked_condition = 4;
   138  }
   139}
   140
   141// Permission defines an action (or actions) that a principal can take.
   142// [#next-free-field: 11]
   143message Permission {
   144  option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Permission";
   145
   146  // Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context,
   147  // each are applied with the associated behavior.
   148  message Set {
   149    option (udpa.annotations.versioning).previous_message_type =
   150        "envoy.config.rbac.v3.Permission.Set";
   151
   152    repeated Permission rules = 1 [(validate.rules).repeated = {min_items: 1}];
   153  }
   154
   155  oneof rule {
   156    option (validate.required) = true;
   157
   158    // A set of rules that all must match in order to define the action.
   159    Set and_rules = 1;
   160
   161    // A set of rules where at least one must match in order to define the action.
   162    Set or_rules = 2;
   163
   164    // When any is set, it matches any action.
   165    bool any = 3 [(validate.rules).bool = {const: true}];
   166
   167    // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
   168    // available for HTTP request.
   169    // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
   170    // field if you want to match the URL path without the query and fragment string.
   171    route.v4alpha.HeaderMatcher header = 4;
   172
   173    // A URL path on the incoming HTTP request. Only available for HTTP.
   174    type.matcher.v4alpha.PathMatcher url_path = 10;
   175
   176    // A CIDR block that describes the destination IP.
   177    core.v4alpha.CidrRange destination_ip = 5;
   178
   179    // A port number that describes the destination port connecting to.
   180    uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}];
   181
   182    // Metadata that describes additional information about the action.
   183    type.matcher.v4alpha.MetadataMatcher metadata = 7;
   184
   185    // Negates matching the provided permission. For instance, if the value of
   186    // `not_rule` would match, this permission would not match. Conversely, if
   187    // the value of `not_rule` would not match, this permission would match.
   188    Permission not_rule = 8;
   189
   190    // The request server from the client's connection request. This is
   191    // typically TLS SNI.
   192    //
   193    // .. attention::
   194    //
   195    //   The behavior of this field may be affected by how Envoy is configured
   196    //   as explained below.
   197    //
   198    //   * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
   199    //     filter is not added, and if a `FilterChainMatch` is not defined for
   200    //     the :ref:`server name
   201    //     <envoy_api_field_config.listener.v4alpha.FilterChainMatch.server_names>`,
   202    //     a TLS connection's requested SNI server name will be treated as if it
   203    //     wasn't present.
   204    //
   205    //   * A :ref:`listener filter <arch_overview_listener_filters>` may
   206    //     overwrite a connection's requested server name within Envoy.
   207    //
   208    // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
   209    // setup SNI.
   210    type.matcher.v4alpha.StringMatcher requested_server_name = 9;
   211  }
   212}
   213
   214// Principal defines an identity or a group of identities for a downstream
   215// subject.
   216// [#next-free-field: 12]
   217message Principal {
   218  option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v3.Principal";
   219
   220  // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof.
   221  // Depending on the context, each are applied with the associated behavior.
   222  message Set {
   223    option (udpa.annotations.versioning).previous_message_type =
   224        "envoy.config.rbac.v3.Principal.Set";
   225
   226    repeated Principal ids = 1 [(validate.rules).repeated = {min_items: 1}];
   227  }
   228
   229  // Authentication attributes for a downstream.
   230  message Authenticated {
   231    option (udpa.annotations.versioning).previous_message_type =
   232        "envoy.config.rbac.v3.Principal.Authenticated";
   233
   234    reserved 1;
   235
   236    // The name of the principal. If set, The URI SAN or DNS SAN in that order
   237    // is used from the certificate, otherwise the subject field is used. If
   238    // unset, it applies to any user that is authenticated.
   239    type.matcher.v4alpha.StringMatcher principal_name = 2;
   240  }
   241
   242  reserved 5;
   243
   244  reserved "source_ip";
   245
   246  oneof identifier {
   247    option (validate.required) = true;
   248
   249    // A set of identifiers that all must match in order to define the
   250    // downstream.
   251    Set and_ids = 1;
   252
   253    // A set of identifiers at least one must match in order to define the
   254    // downstream.
   255    Set or_ids = 2;
   256
   257    // When any is set, it matches any downstream.
   258    bool any = 3 [(validate.rules).bool = {const: true}];
   259
   260    // Authenticated attributes that identify the downstream.
   261    Authenticated authenticated = 4;
   262
   263    // A CIDR block that describes the downstream remote/origin address.
   264    // Note: This is always the physical peer even if the
   265    // :ref:`remote_ip <envoy_api_field_config.rbac.v4alpha.Principal.remote_ip>` is
   266    // inferred from for example the x-forwarder-for header, proxy protocol,
   267    // etc.
   268    core.v4alpha.CidrRange direct_remote_ip = 10;
   269
   270    // A CIDR block that describes the downstream remote/origin address.
   271    // Note: This may not be the physical peer and could be different from the
   272    // :ref:`direct_remote_ip
   273    // <envoy_api_field_config.rbac.v4alpha.Principal.direct_remote_ip>`. E.g, if the
   274    // remote ip is inferred from for example the x-forwarder-for header, proxy
   275    // protocol, etc.
   276    core.v4alpha.CidrRange remote_ip = 11;
   277
   278    // A header (or pseudo-header such as :path or :method) on the incoming HTTP
   279    // request. Only available for HTTP request. Note: the pseudo-header :path
   280    // includes the query and fragment string. Use the `url_path` field if you
   281    // want to match the URL path without the query and fragment string.
   282    route.v4alpha.HeaderMatcher header = 6;
   283
   284    // A URL path on the incoming HTTP request. Only available for HTTP.
   285    type.matcher.v4alpha.PathMatcher url_path = 9;
   286
   287    // Metadata that describes additional information about the principal.
   288    type.matcher.v4alpha.MetadataMatcher metadata = 7;
   289
   290    // Negates matching the provided principal. For instance, if the value of
   291    // `not_id` would match, this principal would not match. Conversely, if the
   292    // value of `not_id` would not match, this principal would match.
   293    Principal not_id = 8;
   294  }
   295}

View as plain text