rbacv2

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2024 License: Apache-2.0 Imports: 22 Imported by: 28

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	RBAC_Action_name = map[int32]string{
		0: "ALLOW",
		1: "DENY",
	}
	RBAC_Action_value = map[string]int32{
		"ALLOW": 0,
		"DENY":  1,
	}
)

Enum value maps for RBAC_Action.

View Source 
var File_envoy_config_rbac_v2_rbac_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Permission 

type Permission struct {

	// Types that are assignable to Rule:
	//
	//	*Permission_AndRules
	//	*Permission_OrRules
	//	*Permission_Any
	//	*Permission_Header
	//	*Permission_UrlPath
	//	*Permission_DestinationIp
	//	*Permission_DestinationPort
	//	*Permission_Metadata
	//	*Permission_NotRule
	//	*Permission_RequestedServerName
	Rule isPermission_Rule `protobuf_oneof:"rule"`
	// contains filtered or unexported fields
}

Permission defines an action (or actions) that a principal can take. [#next-free-field: 11]

func (*Permission) Descriptor deprecated 

func (*Permission) Descriptor() ([]byte, []int)

Deprecated: Use Permission.ProtoReflect.Descriptor instead.

func (*Permission) GetAndRules 

func (x *Permission) GetAndRules() *Permission_Set

func (*Permission) GetAny 

func (x *Permission) GetAny() bool

func (*Permission) GetDestinationIp 

func (x *Permission) GetDestinationIp() *core.CidrRange

func (*Permission) GetDestinationPort 

func (x *Permission) GetDestinationPort() uint32

func (*Permission) GetHeader 

func (x *Permission) GetHeader() *route.HeaderMatcher

func (*Permission) GetMetadata 

func (x *Permission) GetMetadata() *matcher.MetadataMatcher

func (*Permission) GetNotRule 

func (x *Permission) GetNotRule() *Permission

func (*Permission) GetOrRules 

func (x *Permission) GetOrRules() *Permission_Set

func (*Permission) GetRequestedServerName 

func (x *Permission) GetRequestedServerName() *matcher.StringMatcher

func (*Permission) GetRule 

func (m *Permission) GetRule() isPermission_Rule

func (*Permission) GetUrlPath added in v0.9.4 

func (x *Permission) GetUrlPath() *matcher.PathMatcher

func (*Permission) ProtoMessage 

func (*Permission) ProtoMessage()

func (*Permission) ProtoReflect added in v0.9.6 

func (x *Permission) ProtoReflect() protoreflect.Message

func (*Permission) Reset 

func (x *Permission) Reset()

func (*Permission) String 

func (x *Permission) String() string

func (*Permission) Validate 

func (m *Permission) Validate() error

Validate checks the field values on Permission with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Permission) ValidateAll added in v0.10.0 

func (m *Permission) ValidateAll() error

ValidateAll checks the field values on Permission with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in PermissionMultiError, or nil if none found.

type PermissionMultiError added in v0.10.0 

type PermissionMultiError []error

PermissionMultiError is an error wrapping multiple validation errors returned by Permission.ValidateAll() if the designated constraints aren't met.

func (PermissionMultiError) AllErrors added in v0.10.0 

func (m PermissionMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (PermissionMultiError) Error added in v0.10.0 

func (m PermissionMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type PermissionValidationError 

type PermissionValidationError struct {
	// contains filtered or unexported fields
}

PermissionValidationError is the validation error returned by Permission.Validate if the designated constraints aren't met.

func (PermissionValidationError) Cause 

func (e PermissionValidationError) Cause() error

Cause function returns cause value.

func (PermissionValidationError) Error 

func (e PermissionValidationError) Error() string

Error satisfies the builtin error interface

func (PermissionValidationError) ErrorName 

func (e PermissionValidationError) ErrorName() string

ErrorName returns error name.

func (PermissionValidationError) Field 

func (e PermissionValidationError) Field() string

Field function returns field value.

func (PermissionValidationError) Key 

func (e PermissionValidationError) Key() bool

Key function returns key value.

func (PermissionValidationError) Reason 

func (e PermissionValidationError) Reason() string

Reason function returns reason value.

type Permission_AndRules 

type Permission_AndRules struct {
	// A set of rules that all must match in order to define the action.
	AndRules *Permission_Set `protobuf:"bytes,1,opt,name=and_rules,json=andRules,proto3,oneof"`
}

type Permission_Any 

type Permission_Any struct {
	// When any is set, it matches any action.
	Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"`
}

type Permission_DestinationIp 

type Permission_DestinationIp struct {
	// A CIDR block that describes the destination IP.
	DestinationIp *core.CidrRange `protobuf:"bytes,5,opt,name=destination_ip,json=destinationIp,proto3,oneof"`
}

type Permission_DestinationPort 

type Permission_DestinationPort struct {
	// A port number that describes the destination port connecting to.
	DestinationPort uint32 `protobuf:"varint,6,opt,name=destination_port,json=destinationPort,proto3,oneof"`
}

type Permission_Header 

type Permission_Header struct {
	// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
	// available for HTTP request.
	// Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
	// field if you want to match the URL path without the query and fragment string.
	Header *route.HeaderMatcher `protobuf:"bytes,4,opt,name=header,proto3,oneof"`
}

type Permission_Metadata 

type Permission_Metadata struct {
	// Metadata that describes additional information about the action.
	Metadata *matcher.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"`
}

type Permission_NotRule 

type Permission_NotRule struct {
	// Negates matching the provided permission. For instance, if the value of `not_rule` would
	// match, this permission would not match. Conversely, if the value of `not_rule` would not
	// match, this permission would match.
	NotRule *Permission `protobuf:"bytes,8,opt,name=not_rule,json=notRule,proto3,oneof"`
}

type Permission_OrRules 

type Permission_OrRules struct {
	// A set of rules where at least one must match in order to define the action.
	OrRules *Permission_Set `protobuf:"bytes,2,opt,name=or_rules,json=orRules,proto3,oneof"`
}

type Permission_RequestedServerName 

type Permission_RequestedServerName struct {
	// The request server from the client's connection request. This is
	// typically TLS SNI.
	//
	// .. attention::
	//
	//	The behavior of this field may be affected by how Envoy is configured
	//	as explained below.
	//
	//	* If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
	//	  filter is not added, and if a `FilterChainMatch` is not defined for
	//	  the :ref:`server name <envoy_api_field_listener.FilterChainMatch.server_names>`,
	//	  a TLS connection's requested SNI server name will be treated as if it
	//	  wasn't present.
	//
	//	* A :ref:`listener filter <arch_overview_listener_filters>` may
	//	  overwrite a connection's requested server name within Envoy.
	//
	// Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
	// setup SNI.
	RequestedServerName *matcher.StringMatcher `protobuf:"bytes,9,opt,name=requested_server_name,json=requestedServerName,proto3,oneof"`
}

type Permission_Set 

type Permission_Set struct {
	Rules []*Permission `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
	// contains filtered or unexported fields
}

Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, each are applied with the associated behavior.

func (*Permission_Set) Descriptor deprecated 

func (*Permission_Set) Descriptor() ([]byte, []int)

Deprecated: Use Permission_Set.ProtoReflect.Descriptor instead.

func (*Permission_Set) GetRules 

func (x *Permission_Set) GetRules() []*Permission

func (*Permission_Set) ProtoMessage 

func (*Permission_Set) ProtoMessage()

func (*Permission_Set) ProtoReflect added in v0.9.6 

func (x *Permission_Set) ProtoReflect() protoreflect.Message

func (*Permission_Set) Reset 

func (x *Permission_Set) Reset()

func (*Permission_Set) String 

func (x *Permission_Set) String() string

func (*Permission_Set) Validate 

func (m *Permission_Set) Validate() error

Validate checks the field values on Permission_Set with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Permission_Set) ValidateAll added in v0.10.0 

func (m *Permission_Set) ValidateAll() error

ValidateAll checks the field values on Permission_Set with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in Permission_SetMultiError, or nil if none found.

type Permission_SetMultiError added in v0.10.0 

type Permission_SetMultiError []error

Permission_SetMultiError is an error wrapping multiple validation errors returned by Permission_Set.ValidateAll() if the designated constraints aren't met.

func (Permission_SetMultiError) AllErrors added in v0.10.0 

func (m Permission_SetMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (Permission_SetMultiError) Error added in v0.10.0 

func (m Permission_SetMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type Permission_SetValidationError 

type Permission_SetValidationError struct {
	// contains filtered or unexported fields
}

Permission_SetValidationError is the validation error returned by Permission_Set.Validate if the designated constraints aren't met.

func (Permission_SetValidationError) Cause 

func (e Permission_SetValidationError) Cause() error

Cause function returns cause value.

func (Permission_SetValidationError) Error 

func (e Permission_SetValidationError) Error() string

Error satisfies the builtin error interface

func (Permission_SetValidationError) ErrorName 

func (e Permission_SetValidationError) ErrorName() string

ErrorName returns error name.

func (Permission_SetValidationError) Field 

func (e Permission_SetValidationError) Field() string

Field function returns field value.

func (Permission_SetValidationError) Key 

func (e Permission_SetValidationError) Key() bool

Key function returns key value.

func (Permission_SetValidationError) Reason 

func (e Permission_SetValidationError) Reason() string

Reason function returns reason value.

type Permission_UrlPath added in v0.9.4 

type Permission_UrlPath struct {
	// A URL path on the incoming HTTP request. Only available for HTTP.
	UrlPath *matcher.PathMatcher `protobuf:"bytes,10,opt,name=url_path,json=urlPath,proto3,oneof"`
}

type Policy 

type Policy struct {

	// Required. The set of permissions that define a role. Each permission is matched with OR
	// semantics. To match all actions for this policy, a single Permission with the `any` field set
	// to true should be used.
	Permissions []*Permission `protobuf:"bytes,1,rep,name=permissions,proto3" json:"permissions,omitempty"`
	// Required. The set of principals that are assigned/denied the role based on “action”. Each
	// principal is matched with OR semantics. To match all downstreams for this policy, a single
	// Principal with the `any` field set to true should be used.
	Principals []*Principal `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"`
	// An optional symbolic expression specifying an access control
	// :ref:`condition <arch_overview_condition>`. The condition is combined
	// with the permissions and the principals as a clause with AND semantics.
	Condition *v1alpha1.Expr `protobuf:"bytes,3,opt,name=condition,proto3" json:"condition,omitempty"`
	// contains filtered or unexported fields
}

Policy specifies a role and the principals that are assigned/denied the role. A policy matches if and only if at least one of its permissions match the action taking place AND at least one of its principals match the downstream AND the condition is true if specified.

func (*Policy) Descriptor deprecated 

func (*Policy) Descriptor() ([]byte, []int)

Deprecated: Use Policy.ProtoReflect.Descriptor instead.

func (*Policy) GetCondition added in v0.9.0 

func (x *Policy) GetCondition() *v1alpha1.Expr

func (*Policy) GetPermissions 

func (x *Policy) GetPermissions() []*Permission

func (*Policy) GetPrincipals 

func (x *Policy) GetPrincipals() []*Principal

func (*Policy) ProtoMessage 

func (*Policy) ProtoMessage()

func (*Policy) ProtoReflect added in v0.9.6 

func (x *Policy) ProtoReflect() protoreflect.Message

func (*Policy) Reset 

func (x *Policy) Reset()

func (*Policy) String 

func (x *Policy) String() string

func (*Policy) Validate 

func (m *Policy) Validate() error

Validate checks the field values on Policy with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Policy) ValidateAll added in v0.10.0 

func (m *Policy) ValidateAll() error

ValidateAll checks the field values on Policy with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in PolicyMultiError, or nil if none found.

type PolicyMultiError added in v0.10.0 

type PolicyMultiError []error

PolicyMultiError is an error wrapping multiple validation errors returned by Policy.ValidateAll() if the designated constraints aren't met.

func (PolicyMultiError) AllErrors added in v0.10.0 

func (m PolicyMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (PolicyMultiError) Error added in v0.10.0 

func (m PolicyMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type PolicyValidationError 

type PolicyValidationError struct {
	// contains filtered or unexported fields
}

PolicyValidationError is the validation error returned by Policy.Validate if the designated constraints aren't met.

func (PolicyValidationError) Cause 

func (e PolicyValidationError) Cause() error

Cause function returns cause value.

func (PolicyValidationError) Error 

func (e PolicyValidationError) Error() string

Error satisfies the builtin error interface

func (PolicyValidationError) ErrorName 

func (e PolicyValidationError) ErrorName() string

ErrorName returns error name.

func (PolicyValidationError) Field 

func (e PolicyValidationError) Field() string

Field function returns field value.

func (PolicyValidationError) Key 

func (e PolicyValidationError) Key() bool

Key function returns key value.

func (PolicyValidationError) Reason 

func (e PolicyValidationError) Reason() string

Reason function returns reason value.

type Principal 

type Principal struct {

	// Types that are assignable to Identifier:
	//
	//	*Principal_AndIds
	//	*Principal_OrIds
	//	*Principal_Any
	//	*Principal_Authenticated_
	//	*Principal_SourceIp
	//	*Principal_DirectRemoteIp
	//	*Principal_RemoteIp
	//	*Principal_Header
	//	*Principal_UrlPath
	//	*Principal_Metadata
	//	*Principal_NotId
	Identifier isPrincipal_Identifier `protobuf_oneof:"identifier"`
	// contains filtered or unexported fields
}

Principal defines an identity or a group of identities for a downstream subject. [#next-free-field: 12]

func (*Principal) Descriptor deprecated 

func (*Principal) Descriptor() ([]byte, []int)

Deprecated: Use Principal.ProtoReflect.Descriptor instead.

func (*Principal) GetAndIds 

func (x *Principal) GetAndIds() *Principal_Set

func (*Principal) GetAny 

func (x *Principal) GetAny() bool

func (*Principal) GetAuthenticated 

func (x *Principal) GetAuthenticated() *Principal_Authenticated

func (*Principal) GetDirectRemoteIp added in v0.9.6 

func (x *Principal) GetDirectRemoteIp() *core.CidrRange

func (*Principal) GetHeader 

func (x *Principal) GetHeader() *route.HeaderMatcher

func (*Principal) GetIdentifier 

func (m *Principal) GetIdentifier() isPrincipal_Identifier

func (*Principal) GetMetadata 

func (x *Principal) GetMetadata() *matcher.MetadataMatcher

func (*Principal) GetNotId 

func (x *Principal) GetNotId() *Principal

func (*Principal) GetOrIds 

func (x *Principal) GetOrIds() *Principal_Set

func (*Principal) GetRemoteIp added in v0.9.6 

func (x *Principal) GetRemoteIp() *core.CidrRange

func (*Principal) GetSourceIp deprecated 

func (x *Principal) GetSourceIp() *core.CidrRange

Deprecated: Marked as deprecated in envoy/config/rbac/v2/rbac.proto.

func (*Principal) GetUrlPath added in v0.9.4 

func (x *Principal) GetUrlPath() *matcher.PathMatcher

func (*Principal) ProtoMessage 

func (*Principal) ProtoMessage()

func (*Principal) ProtoReflect added in v0.9.6 

func (x *Principal) ProtoReflect() protoreflect.Message

func (*Principal) Reset 

func (x *Principal) Reset()

func (*Principal) String 

func (x *Principal) String() string

func (*Principal) Validate 

func (m *Principal) Validate() error

Validate checks the field values on Principal with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Principal) ValidateAll added in v0.10.0 

func (m *Principal) ValidateAll() error

ValidateAll checks the field values on Principal with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in PrincipalMultiError, or nil if none found.

type PrincipalMultiError added in v0.10.0 

type PrincipalMultiError []error

PrincipalMultiError is an error wrapping multiple validation errors returned by Principal.ValidateAll() if the designated constraints aren't met.

func (PrincipalMultiError) AllErrors added in v0.10.0 

func (m PrincipalMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (PrincipalMultiError) Error added in v0.10.0 

func (m PrincipalMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type PrincipalValidationError 

type PrincipalValidationError struct {
	// contains filtered or unexported fields
}

PrincipalValidationError is the validation error returned by Principal.Validate if the designated constraints aren't met.

func (PrincipalValidationError) Cause 

func (e PrincipalValidationError) Cause() error

Cause function returns cause value.

func (PrincipalValidationError) Error 

func (e PrincipalValidationError) Error() string

Error satisfies the builtin error interface

func (PrincipalValidationError) ErrorName 

func (e PrincipalValidationError) ErrorName() string

ErrorName returns error name.

func (PrincipalValidationError) Field 

func (e PrincipalValidationError) Field() string

Field function returns field value.

func (PrincipalValidationError) Key 

func (e PrincipalValidationError) Key() bool

Key function returns key value.

func (PrincipalValidationError) Reason 

func (e PrincipalValidationError) Reason() string

Reason function returns reason value.

type Principal_AndIds 

type Principal_AndIds struct {
	// A set of identifiers that all must match in order to define the downstream.
	AndIds *Principal_Set `protobuf:"bytes,1,opt,name=and_ids,json=andIds,proto3,oneof"`
}

type Principal_Any 

type Principal_Any struct {
	// When any is set, it matches any downstream.
	Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"`
}

type Principal_Authenticated 

type Principal_Authenticated struct {

	// The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the
	// certificate, otherwise the subject field is used. If unset, it applies to any user that is
	// authenticated.
	PrincipalName *matcher.StringMatcher `protobuf:"bytes,2,opt,name=principal_name,json=principalName,proto3" json:"principal_name,omitempty"`
	// contains filtered or unexported fields
}

Authentication attributes for a downstream.

func (*Principal_Authenticated) Descriptor deprecated 

func (*Principal_Authenticated) Descriptor() ([]byte, []int)

Deprecated: Use Principal_Authenticated.ProtoReflect.Descriptor instead.

func (*Principal_Authenticated) GetPrincipalName 

func (x *Principal_Authenticated) GetPrincipalName() *matcher.StringMatcher

func (*Principal_Authenticated) ProtoMessage 

func (*Principal_Authenticated) ProtoMessage()

func (*Principal_Authenticated) ProtoReflect added in v0.9.6 

func (x *Principal_Authenticated) ProtoReflect() protoreflect.Message

func (*Principal_Authenticated) Reset 

func (x *Principal_Authenticated) Reset()

func (*Principal_Authenticated) String 

func (x *Principal_Authenticated) String() string

func (*Principal_Authenticated) Validate 

func (m *Principal_Authenticated) Validate() error

Validate checks the field values on Principal_Authenticated with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Principal_Authenticated) ValidateAll added in v0.10.0 

func (m *Principal_Authenticated) ValidateAll() error

ValidateAll checks the field values on Principal_Authenticated with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in Principal_AuthenticatedMultiError, or nil if none found.

type Principal_AuthenticatedMultiError added in v0.10.0 

type Principal_AuthenticatedMultiError []error

Principal_AuthenticatedMultiError is an error wrapping multiple validation errors returned by Principal_Authenticated.ValidateAll() if the designated constraints aren't met.

func (Principal_AuthenticatedMultiError) AllErrors added in v0.10.0 

func (m Principal_AuthenticatedMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (Principal_AuthenticatedMultiError) Error added in v0.10.0 

func (m Principal_AuthenticatedMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type Principal_AuthenticatedValidationError 

type Principal_AuthenticatedValidationError struct {
	// contains filtered or unexported fields
}

Principal_AuthenticatedValidationError is the validation error returned by Principal_Authenticated.Validate if the designated constraints aren't met.

func (Principal_AuthenticatedValidationError) Cause 

func (e Principal_AuthenticatedValidationError) Cause() error

Cause function returns cause value.

func (Principal_AuthenticatedValidationError) Error 

func (e Principal_AuthenticatedValidationError) Error() string

Error satisfies the builtin error interface

func (Principal_AuthenticatedValidationError) ErrorName 

func (e Principal_AuthenticatedValidationError) ErrorName() string

ErrorName returns error name.

func (Principal_AuthenticatedValidationError) Field 

func (e Principal_AuthenticatedValidationError) Field() string

Field function returns field value.

func (Principal_AuthenticatedValidationError) Key 

func (e Principal_AuthenticatedValidationError) Key() bool

Key function returns key value.

func (Principal_AuthenticatedValidationError) Reason 

func (e Principal_AuthenticatedValidationError) Reason() string

Reason function returns reason value.

type Principal_Authenticated_ 

type Principal_Authenticated_ struct {
	// Authenticated attributes that identify the downstream.
	Authenticated *Principal_Authenticated `protobuf:"bytes,4,opt,name=authenticated,proto3,oneof"`
}

type Principal_DirectRemoteIp added in v0.9.6 

type Principal_DirectRemoteIp struct {
	// A CIDR block that describes the downstream remote/origin address.
	// Note: This is always the physical peer even if the
	// :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>` is inferred
	// from for example the x-forwarder-for header, proxy protocol, etc.
	DirectRemoteIp *core.CidrRange `protobuf:"bytes,10,opt,name=direct_remote_ip,json=directRemoteIp,proto3,oneof"`
}

type Principal_Header 

type Principal_Header struct {
	// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
	// available for HTTP request.
	// Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
	// field if you want to match the URL path without the query and fragment string.
	Header *route.HeaderMatcher `protobuf:"bytes,6,opt,name=header,proto3,oneof"`
}

type Principal_Metadata 

type Principal_Metadata struct {
	// Metadata that describes additional information about the principal.
	Metadata *matcher.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"`
}

type Principal_NotId 

type Principal_NotId struct {
	// Negates matching the provided principal. For instance, if the value of `not_id` would match,
	// this principal would not match. Conversely, if the value of `not_id` would not match, this
	// principal would match.
	NotId *Principal `protobuf:"bytes,8,opt,name=not_id,json=notId,proto3,oneof"`
}

type Principal_OrIds 

type Principal_OrIds struct {
	// A set of identifiers at least one must match in order to define the downstream.
	OrIds *Principal_Set `protobuf:"bytes,2,opt,name=or_ids,json=orIds,proto3,oneof"`
}

type Principal_RemoteIp added in v0.9.6 

type Principal_RemoteIp struct {
	// A CIDR block that describes the downstream remote/origin address.
	// Note: This may not be the physical peer and could be different from the
	// :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>`.
	// E.g, if the remote ip is inferred from for example the x-forwarder-for header,
	// proxy protocol, etc.
	RemoteIp *core.CidrRange `protobuf:"bytes,11,opt,name=remote_ip,json=remoteIp,proto3,oneof"`
}

type Principal_Set 

type Principal_Set struct {
	Ids []*Principal `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"`
	// contains filtered or unexported fields
}

Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context, each are applied with the associated behavior.

func (*Principal_Set) Descriptor deprecated 

func (*Principal_Set) Descriptor() ([]byte, []int)

Deprecated: Use Principal_Set.ProtoReflect.Descriptor instead.

func (*Principal_Set) GetIds 

func (x *Principal_Set) GetIds() []*Principal

func (*Principal_Set) ProtoMessage 

func (*Principal_Set) ProtoMessage()

func (*Principal_Set) ProtoReflect added in v0.9.6 

func (x *Principal_Set) ProtoReflect() protoreflect.Message

func (*Principal_Set) Reset 

func (x *Principal_Set) Reset()

func (*Principal_Set) String 

func (x *Principal_Set) String() string

func (*Principal_Set) Validate 

func (m *Principal_Set) Validate() error

Validate checks the field values on Principal_Set with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*Principal_Set) ValidateAll added in v0.10.0 

func (m *Principal_Set) ValidateAll() error

ValidateAll checks the field values on Principal_Set with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in Principal_SetMultiError, or nil if none found.

type Principal_SetMultiError added in v0.10.0 

type Principal_SetMultiError []error

Principal_SetMultiError is an error wrapping multiple validation errors returned by Principal_Set.ValidateAll() if the designated constraints aren't met.

func (Principal_SetMultiError) AllErrors added in v0.10.0 

func (m Principal_SetMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (Principal_SetMultiError) Error added in v0.10.0 

func (m Principal_SetMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type Principal_SetValidationError 

type Principal_SetValidationError struct {
	// contains filtered or unexported fields
}

Principal_SetValidationError is the validation error returned by Principal_Set.Validate if the designated constraints aren't met.

func (Principal_SetValidationError) Cause 

func (e Principal_SetValidationError) Cause() error

Cause function returns cause value.

func (Principal_SetValidationError) Error 

func (e Principal_SetValidationError) Error() string

Error satisfies the builtin error interface

func (Principal_SetValidationError) ErrorName 

func (e Principal_SetValidationError) ErrorName() string

ErrorName returns error name.

func (Principal_SetValidationError) Field 

func (e Principal_SetValidationError) Field() string

Field function returns field value.

func (Principal_SetValidationError) Key 

func (e Principal_SetValidationError) Key() bool

Key function returns key value.

func (Principal_SetValidationError) Reason 

func (e Principal_SetValidationError) Reason() string

Reason function returns reason value.

type Principal_SourceIp 

type Principal_SourceIp struct {
	// A CIDR block that describes the downstream IP.
	// This address will honor proxy protocol, but will not honor XFF.
	//
	// Deprecated: Marked as deprecated in envoy/config/rbac/v2/rbac.proto.
	SourceIp *core.CidrRange `protobuf:"bytes,5,opt,name=source_ip,json=sourceIp,proto3,oneof"`
}

type Principal_UrlPath added in v0.9.4 

type Principal_UrlPath struct {
	// A URL path on the incoming HTTP request. Only available for HTTP.
	UrlPath *matcher.PathMatcher `protobuf:"bytes,9,opt,name=url_path,json=urlPath,proto3,oneof"`
}

type RBAC 

type RBAC struct {

	// The action to take if a policy matches. The request is allowed if and only if:
	//
	//   - `action` is "ALLOWED" and at least one policy matches
	//   - `action` is "DENY" and none of the policies match
	Action RBAC_Action `protobuf:"varint,1,opt,name=action,proto3,enum=envoy.config.rbac.v2.RBAC_Action" json:"action,omitempty"`
	// Maps from policy name to policy. A match occurs when at least one policy matches the request.
	Policies map[string]*Policy `` /* 157-byte string literal not displayed */
	// contains filtered or unexported fields
}

Role Based Access Control (RBAC) provides service-level and method-level access control for a service. RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy is found (suppose the `action` is ALLOW).

Here is an example of RBAC configuration. It has two policies:

  • Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so does "cluster.local/ns/default/sa/superuser".

  • Any user can read ("GET") the service at paths with prefix "/products", so long as the destination port is either 80 or 443.

    .. code-block:: yaml

    action: ALLOW policies: "service-admin": permissions:

  • any: true principals:

  • authenticated: principal_name: exact: "cluster.local/ns/default/sa/admin"

  • authenticated: principal_name: exact: "cluster.local/ns/default/sa/superuser" "product-viewer": permissions:

  • and_rules: rules:

  • header: { name: ":method", exact_match: "GET" }

  • url_path: path: { prefix: "/products" }

  • or_rules: rules:

  • destination_port: 80

  • destination_port: 443 principals:

  • any: true

func (*RBAC) Descriptor deprecated 

func (*RBAC) Descriptor() ([]byte, []int)

Deprecated: Use RBAC.ProtoReflect.Descriptor instead.

func (*RBAC) GetAction 

func (x *RBAC) GetAction() RBAC_Action

func (*RBAC) GetPolicies 

func (x *RBAC) GetPolicies() map[string]*Policy

func (*RBAC) ProtoMessage 

func (*RBAC) ProtoMessage()

func (*RBAC) ProtoReflect added in v0.9.6 

func (x *RBAC) ProtoReflect() protoreflect.Message

func (*RBAC) Reset 

func (x *RBAC) Reset()

func (*RBAC) String 

func (x *RBAC) String() string

func (*RBAC) Validate 

func (m *RBAC) Validate() error

Validate checks the field values on RBAC with the rules defined in the proto definition for this message. If any rules are violated, the first error encountered is returned, or nil if there are no violations.

func (*RBAC) ValidateAll added in v0.10.0 

func (m *RBAC) ValidateAll() error

ValidateAll checks the field values on RBAC with the rules defined in the proto definition for this message. If any rules are violated, the result is a list of violation errors wrapped in RBACMultiError, or nil if none found.

type RBACMultiError added in v0.10.0 

type RBACMultiError []error

RBACMultiError is an error wrapping multiple validation errors returned by RBAC.ValidateAll() if the designated constraints aren't met.

func (RBACMultiError) AllErrors added in v0.10.0 

func (m RBACMultiError) AllErrors() []error

AllErrors returns a list of validation violation errors.

func (RBACMultiError) Error added in v0.10.0 

func (m RBACMultiError) Error() string

Error returns a concatenation of all the error messages it wraps.

type RBACValidationError 

type RBACValidationError struct {
	// contains filtered or unexported fields
}

RBACValidationError is the validation error returned by RBAC.Validate if the designated constraints aren't met.

func (RBACValidationError) Cause 

func (e RBACValidationError) Cause() error

Cause function returns cause value.

func (RBACValidationError) Error 

func (e RBACValidationError) Error() string

Error satisfies the builtin error interface

func (RBACValidationError) ErrorName 

func (e RBACValidationError) ErrorName() string

ErrorName returns error name.

func (RBACValidationError) Field 

func (e RBACValidationError) Field() string

Field function returns field value.

func (RBACValidationError) Key 

func (e RBACValidationError) Key() bool

Key function returns key value.

func (RBACValidationError) Reason 

func (e RBACValidationError) Reason() string

Reason function returns reason value.

type RBAC_Action 

type RBAC_Action int32

Should we do safe-list or block-list style access control? 

const (
	// The policies grant access to principals. The rest is denied. This is safe-list style
	// access control. This is the default type.
	RBAC_ALLOW RBAC_Action = 0
	// The policies deny access to principals. The rest is allowed. This is block-list style
	// access control.
	RBAC_DENY RBAC_Action = 1
)

func (RBAC_Action) Descriptor added in v0.9.6 

func (RBAC_Action) Descriptor() protoreflect.EnumDescriptor

func (RBAC_Action) Enum added in v0.9.6 

func (x RBAC_Action) Enum() *RBAC_Action

func (RBAC_Action) EnumDescriptor deprecated 

func (RBAC_Action) EnumDescriptor() ([]byte, []int)

Deprecated: Use RBAC_Action.Descriptor instead.

func (RBAC_Action) Number added in v0.9.6 

func (x RBAC_Action) Number() protoreflect.EnumNumber

func (RBAC_Action) String 

func (x RBAC_Action) String() string

func (RBAC_Action) Type added in v0.9.6 

func (RBAC_Action) Type() protoreflect.EnumType

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.