Package io.envoyproxy.envoy.config.rbac.v3

Class RBAC

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, Serializable
    public final class RBAC
extends com.google.protobuf.GeneratedMessageV3
implements RBACOrBuilder
     Role Based Access Control (RBAC) provides service-level and method-level access control for a
 service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
 found. For instance, if the action is ALLOW and a matching policy is found the request should be
 allowed.
 RBAC can also be used to make access logging decisions by communicating with access loggers
 through dynamic metadata. When the action is LOG and at least one policy matches, the
 ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
 the request should be logged.
 Here is an example of RBAC configuration. It has two policies:
 * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
   does "cluster.local/ns/default/sa/superuser".
 * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
   destination port is either 80 or 443.
  .. code-block:: yaml
   action: ALLOW
   policies:
     "service-admin":
       permissions:
         - any: true
       principals:
         - authenticated:
             principal_name:
               exact: "cluster.local/ns/default/sa/admin"
         - authenticated:
             principal_name:
               exact: "cluster.local/ns/default/sa/superuser"
     "product-viewer":
       permissions:
           - and_rules:
               rules:
                 - header:
                     name: ":method"
                     string_match:
                       exact: "GET"
                 - url_path:
                     path: { prefix: "/products" }
                 - or_rules:
                     rules:
                       - destination_port: 80
                       - destination_port: 443
       principals:
         - any: true
    Protobuf type envoy.config.rbac.v3.RBAC
    See Also:
    Serialized Form

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  RBAC.Action
      Should we do safe-list or block-list style access control?
      static class  RBAC.AuditLoggingOptions
      Protobuf type envoy.config.rbac.v3.RBAC.AuditLoggingOptions
      static interface  RBAC.AuditLoggingOptionsOrBuilder  
      static class  RBAC.Builder
      Role Based Access Control (RBAC) provides service-level and method-level access control for a service.

      • Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

        com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,​BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,​BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

      • Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

        com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static int ACTION_FIELD_NUMBER  
      static int AUDIT_LOGGING_OPTIONS_FIELD_NUMBER  
      static int POLICIES_FIELD_NUMBER  

      • Fields inherited from class com.google.protobuf.GeneratedMessageV3

        alwaysUseFieldBuilders, unknownFields

      • Fields inherited from class com.google.protobuf.AbstractMessage

        memoizedSize

      • Fields inherited from class com.google.protobuf.AbstractMessageLite

        memoizedHashCode

    • Field Detail

      • AUDIT_LOGGING_OPTIONS_FIELD_NUMBER

        public static final int AUDIT_LOGGING_OPTIONS_FIELD_NUMBER
        See Also:
        Constant Field Values

    • Method Detail

      • newInstance

        protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
        Overrides:
        newInstance in class com.google.protobuf.GeneratedMessageV3

      • getUnknownFields

        public final com.google.protobuf.UnknownFieldSet getUnknownFields()
        Specified by:
        getUnknownFields in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getUnknownFields in class com.google.protobuf.GeneratedMessageV3

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetMapField

        protected com.google.protobuf.MapField internalGetMapField​(int number)
        Overrides:
        internalGetMapField in class com.google.protobuf.GeneratedMessageV3

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

      • getActionValue

        public int getActionValue()
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getActionValue in interface RBACOrBuilder
        Returns:
        The enum numeric value on the wire for action.

      • getAction

        public RBAC.Action getAction()
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getAction in interface RBACOrBuilder
        Returns:
        The action.

      • getPoliciesCount

        public int getPoliciesCount()
        Description copied from interface: RBACOrBuilder
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesCount in interface RBACOrBuilder

      • containsPolicies

        public boolean containsPolicies​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        containsPolicies in interface RBACOrBuilder

      • getPoliciesMap

        public Map<String,​Policy> getPoliciesMap()
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesMap in interface RBACOrBuilder

      • getPoliciesOrDefault

        public Policy getPoliciesOrDefault​(String key,
                                   Policy defaultValue)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrDefault in interface RBACOrBuilder

      • getPoliciesOrThrow

        public Policy getPoliciesOrThrow​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrThrow in interface RBACOrBuilder

      • hasAuditLoggingOptions

        public boolean hasAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.
 [#not-implemented-hide:]
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        hasAuditLoggingOptions in interface RBACOrBuilder
        Returns:
        Whether the auditLoggingOptions field is set.

      • getAuditLoggingOptions

        public RBAC.AuditLoggingOptions getAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.
 [#not-implemented-hide:]
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        getAuditLoggingOptions in interface RBACOrBuilder
        Returns:
        The auditLoggingOptions.

      • getAuditLoggingOptionsOrBuilder

        public RBAC.AuditLoggingOptionsOrBuilder getAuditLoggingOptionsOrBuilder()
         Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.
 [#not-implemented-hide:]
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        getAuditLoggingOptionsOrBuilder in interface RBACOrBuilder

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessageV3
        Throws:
        IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessageV3

      • equals

        public boolean equals​(Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static RBAC parseFrom​(ByteBuffer data)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(ByteBuffer data,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.ByteString data)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.ByteString data,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(byte[] data)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(byte[] data,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.CodedInputStream input,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws IOException
        Throws:
        IOException

      • newBuilderForType

        public RBAC.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public RBAC.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected RBAC.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
        Specified by:
        newBuilderForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstance

        public static RBAC getDefaultInstance()

      • parser

        public static com.google.protobuf.Parser<RBAC> parser()

      • getParserForType

        public com.google.protobuf.Parser<RBAC> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstanceForType

        public RBAC getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder