public final class RBAC extends com.google.protobuf.GeneratedMessageV3 implements RBACOrBuilder
Role Based Access Control (RBAC) provides service-level and method-level access control for a
service. RBAC policies are additive. The policies are examined in order. Requests are allowed
or denied based on the `action` and whether a matching policy is found. For instance, if the
action is ALLOW and a matching policy is found the request should be allowed.
RBAC can also be used to make access logging decisions by communicating with access loggers
through dynamic metadata. When the action is LOG and at least one policy matches, the
`access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating
the request should be logged.
Here is an example of RBAC configuration. It has two policies:
* Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
does "cluster.local/ns/default/sa/superuser".
* Any user can read ("GET") the service at paths with prefix "/products", so long as the
destination port is either 80 or 443.
.. code-block:: yaml
action: ALLOW
policies:
"service-admin":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/superuser"
"product-viewer":
permissions:
- and_rules:
rules:
- header: { name: ":method", exact_match: "GET" }
- url_path:
path: { prefix: "/products" }
- or_rules:
rules:
- destination_port: 80
- destination_port: 443
principals:
- any: true
Protobuf type envoy.config.rbac.v3.RBAC| Modifier and Type | Class and Description |
|---|---|
static class |
RBAC.Action
Should we do safe-list or block-list style access control?
|
static class |
RBAC.Builder
Role Based Access Control (RBAC) provides service-level and method-level access control for a
service.
|
com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter| Modifier and Type | Field and Description |
|---|---|
static int |
ACTION_FIELD_NUMBER |
static int |
POLICIES_FIELD_NUMBER |
| Modifier and Type | Method and Description |
|---|---|
boolean |
containsPolicies(String key)
Maps from policy name to policy.
|
boolean |
equals(Object obj) |
RBAC.Action |
getAction()
The action to take if a policy matches.
|
int |
getActionValue()
The action to take if a policy matches.
|
static RBAC |
getDefaultInstance() |
RBAC |
getDefaultInstanceForType() |
static com.google.protobuf.Descriptors.Descriptor |
getDescriptor() |
com.google.protobuf.Parser<RBAC> |
getParserForType() |
Map<String,Policy> |
getPolicies()
Deprecated.
|
int |
getPoliciesCount()
Maps from policy name to policy.
|
Map<String,Policy> |
getPoliciesMap()
Maps from policy name to policy.
|
Policy |
getPoliciesOrDefault(String key,
Policy defaultValue)
Maps from policy name to policy.
|
Policy |
getPoliciesOrThrow(String key)
Maps from policy name to policy.
|
int |
getSerializedSize() |
com.google.protobuf.UnknownFieldSet |
getUnknownFields() |
int |
hashCode() |
protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable |
internalGetFieldAccessorTable() |
protected com.google.protobuf.MapField |
internalGetMapField(int number) |
boolean |
isInitialized() |
static RBAC.Builder |
newBuilder() |
static RBAC.Builder |
newBuilder(RBAC prototype) |
RBAC.Builder |
newBuilderForType() |
protected RBAC.Builder |
newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent) |
protected Object |
newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused) |
static RBAC |
parseDelimitedFrom(InputStream input) |
static RBAC |
parseDelimitedFrom(InputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
static RBAC |
parseFrom(byte[] data) |
static RBAC |
parseFrom(byte[] data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
static RBAC |
parseFrom(ByteBuffer data) |
static RBAC |
parseFrom(ByteBuffer data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
static RBAC |
parseFrom(com.google.protobuf.ByteString data) |
static RBAC |
parseFrom(com.google.protobuf.ByteString data,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
static RBAC |
parseFrom(com.google.protobuf.CodedInputStream input) |
static RBAC |
parseFrom(com.google.protobuf.CodedInputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
static RBAC |
parseFrom(InputStream input) |
static RBAC |
parseFrom(InputStream input,
com.google.protobuf.ExtensionRegistryLite extensionRegistry) |
static com.google.protobuf.Parser<RBAC> |
parser() |
RBAC.Builder |
toBuilder() |
void |
writeTo(com.google.protobuf.CodedOutputStream output) |
canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, hasField, hasOneof, makeExtensionsImmutable, mergeFromAndMakeImmutableInternal, mutableCopy, mutableCopy, mutableCopy, mutableCopy, mutableCopy, newBooleanList, newBuilderForType, newDoubleList, newFloatList, newIntList, newLongList, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTagfindInitializationErrors, getInitializationErrorString, hashBoolean, hashEnum, hashEnumList, hashFields, hashLong, toStringaddAll, addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeToclone, finalize, getClass, notify, notifyAll, wait, wait, waitpublic static final int ACTION_FIELD_NUMBER
public static final int POLICIES_FIELD_NUMBER
protected Object newInstance(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
newInstance in class com.google.protobuf.GeneratedMessageV3public final com.google.protobuf.UnknownFieldSet getUnknownFields()
getUnknownFields in interface com.google.protobuf.MessageOrBuildergetUnknownFields in class com.google.protobuf.GeneratedMessageV3public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
protected com.google.protobuf.MapField internalGetMapField(int number)
internalGetMapField in class com.google.protobuf.GeneratedMessageV3protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3public int getActionValue()
The action to take if a policy matches. Every action either allows or denies a request,
and can also carry out action-specific operations.
Actions:
* ALLOW: Allows the request if and only if there is a policy that matches
the request.
* DENY: Allows the request if and only if there are no policies that
match the request.
* LOG: Allows all requests. If at least one policy matches, the dynamic
metadata key `access_log_hint` is set to the value `true` under the shared
key namespace 'envoy.common'. If no policies match, it is set to `false`.
Other actions do not modify this key.
.envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }getActionValue in interface RBACOrBuilderpublic RBAC.Action getAction()
The action to take if a policy matches. Every action either allows or denies a request,
and can also carry out action-specific operations.
Actions:
* ALLOW: Allows the request if and only if there is a policy that matches
the request.
* DENY: Allows the request if and only if there are no policies that
match the request.
* LOG: Allows all requests. If at least one policy matches, the dynamic
metadata key `access_log_hint` is set to the value `true` under the shared
key namespace 'envoy.common'. If no policies match, it is set to `false`.
Other actions do not modify this key.
.envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }getAction in interface RBACOrBuilderpublic int getPoliciesCount()
RBACOrBuilderMaps from policy name to policy. A match occurs when at least one policy matches the request.
map<string, .envoy.config.rbac.v3.Policy> policies = 2;getPoliciesCount in interface RBACOrBuilderpublic boolean containsPolicies(String key)
Maps from policy name to policy. A match occurs when at least one policy matches the request.
map<string, .envoy.config.rbac.v3.Policy> policies = 2;containsPolicies in interface RBACOrBuilder@Deprecated public Map<String,Policy> getPolicies()
getPoliciesMap() instead.getPolicies in interface RBACOrBuilderpublic Map<String,Policy> getPoliciesMap()
Maps from policy name to policy. A match occurs when at least one policy matches the request.
map<string, .envoy.config.rbac.v3.Policy> policies = 2;getPoliciesMap in interface RBACOrBuilderpublic Policy getPoliciesOrDefault(String key, Policy defaultValue)
Maps from policy name to policy. A match occurs when at least one policy matches the request.
map<string, .envoy.config.rbac.v3.Policy> policies = 2;getPoliciesOrDefault in interface RBACOrBuilderpublic Policy getPoliciesOrThrow(String key)
Maps from policy name to policy. A match occurs when at least one policy matches the request.
map<string, .envoy.config.rbac.v3.Policy> policies = 2;getPoliciesOrThrow in interface RBACOrBuilderpublic final boolean isInitialized()
isInitialized in interface com.google.protobuf.MessageLiteOrBuilderisInitialized in class com.google.protobuf.GeneratedMessageV3public void writeTo(com.google.protobuf.CodedOutputStream output)
throws IOException
writeTo in interface com.google.protobuf.MessageLitewriteTo in class com.google.protobuf.GeneratedMessageV3IOExceptionpublic int getSerializedSize()
getSerializedSize in interface com.google.protobuf.MessageLitegetSerializedSize in class com.google.protobuf.GeneratedMessageV3public boolean equals(Object obj)
equals in interface com.google.protobuf.Messageequals in class com.google.protobuf.AbstractMessagepublic int hashCode()
hashCode in interface com.google.protobuf.MessagehashCode in class com.google.protobuf.AbstractMessagepublic static RBAC parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
com.google.protobuf.InvalidProtocolBufferExceptionpublic static RBAC parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
com.google.protobuf.InvalidProtocolBufferExceptionpublic static RBAC parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
com.google.protobuf.InvalidProtocolBufferExceptionpublic static RBAC parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
com.google.protobuf.InvalidProtocolBufferExceptionpublic static RBAC parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
com.google.protobuf.InvalidProtocolBufferExceptionpublic static RBAC parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
com.google.protobuf.InvalidProtocolBufferExceptionpublic static RBAC parseFrom(InputStream input) throws IOException
IOExceptionpublic static RBAC parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
IOExceptionpublic static RBAC parseDelimitedFrom(InputStream input) throws IOException
IOExceptionpublic static RBAC parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
IOExceptionpublic static RBAC parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
IOExceptionpublic static RBAC parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
IOExceptionpublic RBAC.Builder newBuilderForType()
newBuilderForType in interface com.google.protobuf.MessagenewBuilderForType in interface com.google.protobuf.MessageLitepublic static RBAC.Builder newBuilder()
public static RBAC.Builder newBuilder(RBAC prototype)
public RBAC.Builder toBuilder()
toBuilder in interface com.google.protobuf.MessagetoBuilder in interface com.google.protobuf.MessageLiteprotected RBAC.Builder newBuilderForType(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
newBuilderForType in class com.google.protobuf.GeneratedMessageV3public static RBAC getDefaultInstance()
public static com.google.protobuf.Parser<RBAC> parser()
public com.google.protobuf.Parser<RBAC> getParserForType()
getParserForType in interface com.google.protobuf.MessagegetParserForType in interface com.google.protobuf.MessageLitegetParserForType in class com.google.protobuf.GeneratedMessageV3public RBAC getDefaultInstanceForType()
getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuildergetDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilderCopyright © 2018–2021 The Envoy Project. All rights reserved.