go-control-plane: github.com/envoyproxy/go-control-plane/envoy/config/rbac/v4alpha Index | Files

package envoy_config_rbac_v4alpha

import "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v4alpha"

Index

Package Files

rbac.pb.go rbac.pb.validate.go

Variables

var (
    RBAC_Action_name = map[int32]string{
        0:  "ALLOW",
        1:  "DENY",
        2:  "LOG",
    }
    RBAC_Action_value = map[string]int32{
        "ALLOW": 0,
        "DENY":  1,
        "LOG":   2,
    }
)

Enum value maps for RBAC_Action.

var File_envoy_config_rbac_v4alpha_rbac_proto protoreflect.FileDescriptor

type Permission Uses

type Permission struct {

    // Types that are assignable to Rule:
    //	*Permission_AndRules
    //	*Permission_OrRules
    //	*Permission_Any
    //	*Permission_Header
    //	*Permission_UrlPath
    //	*Permission_DestinationIp
    //	*Permission_DestinationPort
    //	*Permission_Metadata
    //	*Permission_NotRule
    //	*Permission_RequestedServerName
    Rule isPermission_Rule `protobuf_oneof:"rule"`
    // contains filtered or unexported fields
}

Permission defines an action (or actions) that a principal can take. [#next-free-field: 11]

func (*Permission) Descriptor Uses

func (*Permission) Descriptor() ([]byte, []int)

Deprecated: Use Permission.ProtoReflect.Descriptor instead.

func (*Permission) GetAndRules Uses

func (x *Permission) GetAndRules() *Permission_Set

func (*Permission) GetAny Uses

func (x *Permission) GetAny() bool

func (*Permission) GetDestinationIp Uses

func (x *Permission) GetDestinationIp() *v4alpha2.CidrRange

func (*Permission) GetDestinationPort Uses

func (x *Permission) GetDestinationPort() uint32

func (*Permission) GetHeader Uses

func (x *Permission) GetHeader() *v4alpha.HeaderMatcher

func (*Permission) GetMetadata Uses

func (x *Permission) GetMetadata() *v4alpha1.MetadataMatcher

func (*Permission) GetNotRule Uses

func (x *Permission) GetNotRule() *Permission

func (*Permission) GetOrRules Uses

func (x *Permission) GetOrRules() *Permission_Set

func (*Permission) GetRequestedServerName Uses

func (x *Permission) GetRequestedServerName() *v4alpha1.StringMatcher

func (*Permission) GetRule Uses

func (m *Permission) GetRule() isPermission_Rule

func (*Permission) GetUrlPath Uses

func (x *Permission) GetUrlPath() *v4alpha1.PathMatcher

func (*Permission) ProtoMessage Uses

func (*Permission) ProtoMessage()

func (*Permission) ProtoReflect Uses

func (x *Permission) ProtoReflect() protoreflect.Message

func (*Permission) Reset Uses

func (x *Permission) Reset()

func (*Permission) String Uses

func (x *Permission) String() string

func (*Permission) Validate Uses

func (m *Permission) Validate() error

Validate checks the field values on Permission with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type PermissionValidationError Uses

type PermissionValidationError struct {
    // contains filtered or unexported fields
}

PermissionValidationError is the validation error returned by Permission.Validate if the designated constraints aren't met.

func (PermissionValidationError) Cause Uses

func (e PermissionValidationError) Cause() error

Cause function returns cause value.

func (PermissionValidationError) Error Uses

func (e PermissionValidationError) Error() string

Error satisfies the builtin error interface

func (PermissionValidationError) ErrorName Uses

func (e PermissionValidationError) ErrorName() string

ErrorName returns error name.

func (PermissionValidationError) Field Uses

func (e PermissionValidationError) Field() string

Field function returns field value.

func (PermissionValidationError) Key Uses

func (e PermissionValidationError) Key() bool

Key function returns key value.

func (PermissionValidationError) Reason Uses

func (e PermissionValidationError) Reason() string

Reason function returns reason value.

type Permission_AndRules Uses

type Permission_AndRules struct {
    // A set of rules that all must match in order to define the action.
    AndRules *Permission_Set `protobuf:"bytes,1,opt,name=and_rules,json=andRules,proto3,oneof"`
}

type Permission_Any Uses

type Permission_Any struct {
    // When any is set, it matches any action.
    Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"`
}

type Permission_DestinationIp Uses

type Permission_DestinationIp struct {
    // A CIDR block that describes the destination IP.
    DestinationIp *v4alpha2.CidrRange `protobuf:"bytes,5,opt,name=destination_ip,json=destinationIp,proto3,oneof"`
}

type Permission_DestinationPort Uses

type Permission_DestinationPort struct {
    // A port number that describes the destination port connecting to.
    DestinationPort uint32 `protobuf:"varint,6,opt,name=destination_port,json=destinationPort,proto3,oneof"`
}

type Permission_Header Uses

type Permission_Header struct {
    // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
    // available for HTTP request.
    // Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
    // field if you want to match the URL path without the query and fragment string.
    Header *v4alpha.HeaderMatcher `protobuf:"bytes,4,opt,name=header,proto3,oneof"`
}

type Permission_Metadata Uses

type Permission_Metadata struct {
    // Metadata that describes additional information about the action.
    Metadata *v4alpha1.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"`
}

type Permission_NotRule Uses

type Permission_NotRule struct {
    // Negates matching the provided permission. For instance, if the value of
    // `not_rule` would match, this permission would not match. Conversely, if
    // the value of `not_rule` would not match, this permission would match.
    NotRule *Permission `protobuf:"bytes,8,opt,name=not_rule,json=notRule,proto3,oneof"`
}

type Permission_OrRules Uses

type Permission_OrRules struct {
    // A set of rules where at least one must match in order to define the action.
    OrRules *Permission_Set `protobuf:"bytes,2,opt,name=or_rules,json=orRules,proto3,oneof"`
}

type Permission_RequestedServerName Uses

type Permission_RequestedServerName struct {
    // The request server from the client's connection request. This is
    // typically TLS SNI.
    //
    // .. attention::
    //
    //   The behavior of this field may be affected by how Envoy is configured
    //   as explained below.
    //
    //   * If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
    //     filter is not added, and if a `FilterChainMatch` is not defined for
    //     the :ref:`server name
    //     <envoy_api_field_config.listener.v4alpha.FilterChainMatch.server_names>`,
    //     a TLS connection's requested SNI server name will be treated as if it
    //     wasn't present.
    //
    //   * A :ref:`listener filter <arch_overview_listener_filters>` may
    //     overwrite a connection's requested server name within Envoy.
    //
    // Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
    // setup SNI.
    RequestedServerName *v4alpha1.StringMatcher `protobuf:"bytes,9,opt,name=requested_server_name,json=requestedServerName,proto3,oneof"`
}

type Permission_Set Uses

type Permission_Set struct {
    Rules []*Permission `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"`
    // contains filtered or unexported fields
}

Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context, each are applied with the associated behavior.

func (*Permission_Set) Descriptor Uses

func (*Permission_Set) Descriptor() ([]byte, []int)

Deprecated: Use Permission_Set.ProtoReflect.Descriptor instead.

func (*Permission_Set) GetRules Uses

func (x *Permission_Set) GetRules() []*Permission

func (*Permission_Set) ProtoMessage Uses

func (*Permission_Set) ProtoMessage()

func (*Permission_Set) ProtoReflect Uses

func (x *Permission_Set) ProtoReflect() protoreflect.Message

func (*Permission_Set) Reset Uses

func (x *Permission_Set) Reset()

func (*Permission_Set) String Uses

func (x *Permission_Set) String() string

func (*Permission_Set) Validate Uses

func (m *Permission_Set) Validate() error

Validate checks the field values on Permission_Set with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type Permission_SetValidationError Uses

type Permission_SetValidationError struct {
    // contains filtered or unexported fields
}

Permission_SetValidationError is the validation error returned by Permission_Set.Validate if the designated constraints aren't met.

func (Permission_SetValidationError) Cause Uses

func (e Permission_SetValidationError) Cause() error

Cause function returns cause value.

func (Permission_SetValidationError) Error Uses

func (e Permission_SetValidationError) Error() string

Error satisfies the builtin error interface

func (Permission_SetValidationError) ErrorName Uses

func (e Permission_SetValidationError) ErrorName() string

ErrorName returns error name.

func (Permission_SetValidationError) Field Uses

func (e Permission_SetValidationError) Field() string

Field function returns field value.

func (Permission_SetValidationError) Key Uses

func (e Permission_SetValidationError) Key() bool

Key function returns key value.

func (Permission_SetValidationError) Reason Uses

func (e Permission_SetValidationError) Reason() string

Reason function returns reason value.

type Permission_UrlPath Uses

type Permission_UrlPath struct {
    // A URL path on the incoming HTTP request. Only available for HTTP.
    UrlPath *v4alpha1.PathMatcher `protobuf:"bytes,10,opt,name=url_path,json=urlPath,proto3,oneof"`
}

type Policy Uses

type Policy struct {

    // Required. The set of permissions that define a role. Each permission is
    // matched with OR semantics. To match all actions for this policy, a single
    // Permission with the `any` field set to true should be used.
    Permissions []*Permission `protobuf:"bytes,1,rep,name=permissions,proto3" json:"permissions,omitempty"`
    // Required. The set of principals that are assigned/denied the role based on
    // “action”. Each principal is matched with OR semantics. To match all
    // downstreams for this policy, a single Principal with the `any` field set to
    // true should be used.
    Principals []*Principal `protobuf:"bytes,2,rep,name=principals,proto3" json:"principals,omitempty"`
    // Types that are assignable to ExpressionSpecifier:
    //	*Policy_Condition
    //	*Policy_CheckedCondition
    ExpressionSpecifier isPolicy_ExpressionSpecifier `protobuf_oneof:"expression_specifier"`
    // contains filtered or unexported fields
}

Policy specifies a role and the principals that are assigned/denied the role. A policy matches if and only if at least one of its permissions match the action taking place AND at least one of its principals match the downstream AND the condition is true if specified.

func (*Policy) Descriptor Uses

func (*Policy) Descriptor() ([]byte, []int)

Deprecated: Use Policy.ProtoReflect.Descriptor instead.

func (*Policy) GetCheckedCondition Uses

func (x *Policy) GetCheckedCondition() *v1alpha1.CheckedExpr

func (*Policy) GetCondition Uses

func (x *Policy) GetCondition() *v1alpha1.Expr

func (*Policy) GetExpressionSpecifier Uses

func (m *Policy) GetExpressionSpecifier() isPolicy_ExpressionSpecifier

func (*Policy) GetPermissions Uses

func (x *Policy) GetPermissions() []*Permission

func (*Policy) GetPrincipals Uses

func (x *Policy) GetPrincipals() []*Principal

func (*Policy) ProtoMessage Uses

func (*Policy) ProtoMessage()

func (*Policy) ProtoReflect Uses

func (x *Policy) ProtoReflect() protoreflect.Message

func (*Policy) Reset Uses

func (x *Policy) Reset()

func (*Policy) String Uses

func (x *Policy) String() string

func (*Policy) Validate Uses

func (m *Policy) Validate() error

Validate checks the field values on Policy with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type PolicyValidationError Uses

type PolicyValidationError struct {
    // contains filtered or unexported fields
}

PolicyValidationError is the validation error returned by Policy.Validate if the designated constraints aren't met.

func (PolicyValidationError) Cause Uses

func (e PolicyValidationError) Cause() error

Cause function returns cause value.

func (PolicyValidationError) Error Uses

func (e PolicyValidationError) Error() string

Error satisfies the builtin error interface

func (PolicyValidationError) ErrorName Uses

func (e PolicyValidationError) ErrorName() string

ErrorName returns error name.

func (PolicyValidationError) Field Uses

func (e PolicyValidationError) Field() string

Field function returns field value.

func (PolicyValidationError) Key Uses

func (e PolicyValidationError) Key() bool

Key function returns key value.

func (PolicyValidationError) Reason Uses

func (e PolicyValidationError) Reason() string

Reason function returns reason value.

type Policy_CheckedCondition Uses

type Policy_CheckedCondition struct {
    // [#not-implemented-hide:]
    // An optional symbolic expression that has been successfully type checked.
    // Only be used when condition is not used.
    CheckedCondition *v1alpha1.CheckedExpr `protobuf:"bytes,4,opt,name=checked_condition,json=checkedCondition,proto3,oneof"`
}

type Policy_Condition Uses

type Policy_Condition struct {
    // An optional symbolic expression specifying an access control
    // :ref:`condition <arch_overview_condition>`. The condition is combined
    // with the permissions and the principals as a clause with AND semantics.
    // Only be used when checked_condition is not used.
    Condition *v1alpha1.Expr `protobuf:"bytes,3,opt,name=condition,proto3,oneof"`
}

type Principal Uses

type Principal struct {

    // Types that are assignable to Identifier:
    //	*Principal_AndIds
    //	*Principal_OrIds
    //	*Principal_Any
    //	*Principal_Authenticated_
    //	*Principal_HiddenEnvoyDeprecatedSourceIp
    //	*Principal_DirectRemoteIp
    //	*Principal_RemoteIp
    //	*Principal_Header
    //	*Principal_UrlPath
    //	*Principal_Metadata
    //	*Principal_NotId
    Identifier isPrincipal_Identifier `protobuf_oneof:"identifier"`
    // contains filtered or unexported fields
}

Principal defines an identity or a group of identities for a downstream subject. [#next-free-field: 12]

func (*Principal) Descriptor Uses

func (*Principal) Descriptor() ([]byte, []int)

Deprecated: Use Principal.ProtoReflect.Descriptor instead.

func (*Principal) GetAndIds Uses

func (x *Principal) GetAndIds() *Principal_Set

func (*Principal) GetAny Uses

func (x *Principal) GetAny() bool

func (*Principal) GetAuthenticated Uses

func (x *Principal) GetAuthenticated() *Principal_Authenticated

func (*Principal) GetDirectRemoteIp Uses

func (x *Principal) GetDirectRemoteIp() *v4alpha2.CidrRange

func (*Principal) GetHeader Uses

func (x *Principal) GetHeader() *v4alpha.HeaderMatcher

func (*Principal) GetHiddenEnvoyDeprecatedSourceIp Uses

func (x *Principal) GetHiddenEnvoyDeprecatedSourceIp() *v4alpha2.CidrRange

Deprecated: Do not use.

func (*Principal) GetIdentifier Uses

func (m *Principal) GetIdentifier() isPrincipal_Identifier

func (*Principal) GetMetadata Uses

func (x *Principal) GetMetadata() *v4alpha1.MetadataMatcher

func (*Principal) GetNotId Uses

func (x *Principal) GetNotId() *Principal

func (*Principal) GetOrIds Uses

func (x *Principal) GetOrIds() *Principal_Set

func (*Principal) GetRemoteIp Uses

func (x *Principal) GetRemoteIp() *v4alpha2.CidrRange

func (*Principal) GetUrlPath Uses

func (x *Principal) GetUrlPath() *v4alpha1.PathMatcher

func (*Principal) ProtoMessage Uses

func (*Principal) ProtoMessage()

func (*Principal) ProtoReflect Uses

func (x *Principal) ProtoReflect() protoreflect.Message

func (*Principal) Reset Uses

func (x *Principal) Reset()

func (*Principal) String Uses

func (x *Principal) String() string

func (*Principal) Validate Uses

func (m *Principal) Validate() error

Validate checks the field values on Principal with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type PrincipalValidationError Uses

type PrincipalValidationError struct {
    // contains filtered or unexported fields
}

PrincipalValidationError is the validation error returned by Principal.Validate if the designated constraints aren't met.

func (PrincipalValidationError) Cause Uses

func (e PrincipalValidationError) Cause() error

Cause function returns cause value.

func (PrincipalValidationError) Error Uses

func (e PrincipalValidationError) Error() string

Error satisfies the builtin error interface

func (PrincipalValidationError) ErrorName Uses

func (e PrincipalValidationError) ErrorName() string

ErrorName returns error name.

func (PrincipalValidationError) Field Uses

func (e PrincipalValidationError) Field() string

Field function returns field value.

func (PrincipalValidationError) Key Uses

func (e PrincipalValidationError) Key() bool

Key function returns key value.

func (PrincipalValidationError) Reason Uses

func (e PrincipalValidationError) Reason() string

Reason function returns reason value.

type Principal_AndIds Uses

type Principal_AndIds struct {
    // A set of identifiers that all must match in order to define the
    // downstream.
    AndIds *Principal_Set `protobuf:"bytes,1,opt,name=and_ids,json=andIds,proto3,oneof"`
}

type Principal_Any Uses

type Principal_Any struct {
    // When any is set, it matches any downstream.
    Any bool `protobuf:"varint,3,opt,name=any,proto3,oneof"`
}

type Principal_Authenticated Uses

type Principal_Authenticated struct {

    // The name of the principal. If set, The URI SAN or DNS SAN in that order
    // is used from the certificate, otherwise the subject field is used. If
    // unset, it applies to any user that is authenticated.
    PrincipalName *v4alpha1.StringMatcher `protobuf:"bytes,2,opt,name=principal_name,json=principalName,proto3" json:"principal_name,omitempty"`
    // contains filtered or unexported fields
}

Authentication attributes for a downstream.

func (*Principal_Authenticated) Descriptor Uses

func (*Principal_Authenticated) Descriptor() ([]byte, []int)

Deprecated: Use Principal_Authenticated.ProtoReflect.Descriptor instead.

func (*Principal_Authenticated) GetPrincipalName Uses

func (x *Principal_Authenticated) GetPrincipalName() *v4alpha1.StringMatcher

func (*Principal_Authenticated) ProtoMessage Uses

func (*Principal_Authenticated) ProtoMessage()

func (*Principal_Authenticated) ProtoReflect Uses

func (x *Principal_Authenticated) ProtoReflect() protoreflect.Message

func (*Principal_Authenticated) Reset Uses

func (x *Principal_Authenticated) Reset()

func (*Principal_Authenticated) String Uses

func (x *Principal_Authenticated) String() string

func (*Principal_Authenticated) Validate Uses

func (m *Principal_Authenticated) Validate() error

Validate checks the field values on Principal_Authenticated with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type Principal_AuthenticatedValidationError Uses

type Principal_AuthenticatedValidationError struct {
    // contains filtered or unexported fields
}

Principal_AuthenticatedValidationError is the validation error returned by Principal_Authenticated.Validate if the designated constraints aren't met.

func (Principal_AuthenticatedValidationError) Cause Uses

func (e Principal_AuthenticatedValidationError) Cause() error

Cause function returns cause value.

func (Principal_AuthenticatedValidationError) Error Uses

func (e Principal_AuthenticatedValidationError) Error() string

Error satisfies the builtin error interface

func (Principal_AuthenticatedValidationError) ErrorName Uses

func (e Principal_AuthenticatedValidationError) ErrorName() string

ErrorName returns error name.

func (Principal_AuthenticatedValidationError) Field Uses

func (e Principal_AuthenticatedValidationError) Field() string

Field function returns field value.

func (Principal_AuthenticatedValidationError) Key Uses

func (e Principal_AuthenticatedValidationError) Key() bool

Key function returns key value.

func (Principal_AuthenticatedValidationError) Reason Uses

func (e Principal_AuthenticatedValidationError) Reason() string

Reason function returns reason value.

type Principal_Authenticated_ Uses

type Principal_Authenticated_ struct {
    // Authenticated attributes that identify the downstream.
    Authenticated *Principal_Authenticated `protobuf:"bytes,4,opt,name=authenticated,proto3,oneof"`
}

type Principal_DirectRemoteIp Uses

type Principal_DirectRemoteIp struct {
    // A CIDR block that describes the downstream remote/origin address.
    // Note: This is always the physical peer even if the
    // :ref:`remote_ip <envoy_api_field_config.rbac.v4alpha.Principal.remote_ip>` is
    // inferred from for example the x-forwarder-for header, proxy protocol,
    // etc.
    DirectRemoteIp *v4alpha2.CidrRange `protobuf:"bytes,10,opt,name=direct_remote_ip,json=directRemoteIp,proto3,oneof"`
}

type Principal_Header Uses

type Principal_Header struct {
    // A header (or pseudo-header such as :path or :method) on the incoming HTTP
    // request. Only available for HTTP request. Note: the pseudo-header :path
    // includes the query and fragment string. Use the `url_path` field if you
    // want to match the URL path without the query and fragment string.
    Header *v4alpha.HeaderMatcher `protobuf:"bytes,6,opt,name=header,proto3,oneof"`
}

type Principal_HiddenEnvoyDeprecatedSourceIp Uses

type Principal_HiddenEnvoyDeprecatedSourceIp struct {
    // A CIDR block that describes the downstream IP.
    // This address will honor proxy protocol, but will not honor XFF.
    //
    // Deprecated: Do not use.
    HiddenEnvoyDeprecatedSourceIp *v4alpha2.CidrRange `protobuf:"bytes,5,opt,name=hidden_envoy_deprecated_source_ip,json=hiddenEnvoyDeprecatedSourceIp,proto3,oneof"`
}

type Principal_Metadata Uses

type Principal_Metadata struct {
    // Metadata that describes additional information about the principal.
    Metadata *v4alpha1.MetadataMatcher `protobuf:"bytes,7,opt,name=metadata,proto3,oneof"`
}

type Principal_NotId Uses

type Principal_NotId struct {
    // Negates matching the provided principal. For instance, if the value of
    // `not_id` would match, this principal would not match. Conversely, if the
    // value of `not_id` would not match, this principal would match.
    NotId *Principal `protobuf:"bytes,8,opt,name=not_id,json=notId,proto3,oneof"`
}

type Principal_OrIds Uses

type Principal_OrIds struct {
    // A set of identifiers at least one must match in order to define the
    // downstream.
    OrIds *Principal_Set `protobuf:"bytes,2,opt,name=or_ids,json=orIds,proto3,oneof"`
}

type Principal_RemoteIp Uses

type Principal_RemoteIp struct {
    // A CIDR block that describes the downstream remote/origin address.
    // Note: This may not be the physical peer and could be different from the
    // :ref:`direct_remote_ip
    // <envoy_api_field_config.rbac.v4alpha.Principal.direct_remote_ip>`. E.g, if the
    // remote ip is inferred from for example the x-forwarder-for header, proxy
    // protocol, etc.
    RemoteIp *v4alpha2.CidrRange `protobuf:"bytes,11,opt,name=remote_ip,json=remoteIp,proto3,oneof"`
}

type Principal_Set Uses

type Principal_Set struct {
    Ids []*Principal `protobuf:"bytes,1,rep,name=ids,proto3" json:"ids,omitempty"`
    // contains filtered or unexported fields
}

Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context, each are applied with the associated behavior.

func (*Principal_Set) Descriptor Uses

func (*Principal_Set) Descriptor() ([]byte, []int)

Deprecated: Use Principal_Set.ProtoReflect.Descriptor instead.

func (*Principal_Set) GetIds Uses

func (x *Principal_Set) GetIds() []*Principal

func (*Principal_Set) ProtoMessage Uses

func (*Principal_Set) ProtoMessage()

func (*Principal_Set) ProtoReflect Uses

func (x *Principal_Set) ProtoReflect() protoreflect.Message

func (*Principal_Set) Reset Uses

func (x *Principal_Set) Reset()

func (*Principal_Set) String Uses

func (x *Principal_Set) String() string

func (*Principal_Set) Validate Uses

func (m *Principal_Set) Validate() error

Validate checks the field values on Principal_Set with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type Principal_SetValidationError Uses

type Principal_SetValidationError struct {
    // contains filtered or unexported fields
}

Principal_SetValidationError is the validation error returned by Principal_Set.Validate if the designated constraints aren't met.

func (Principal_SetValidationError) Cause Uses

func (e Principal_SetValidationError) Cause() error

Cause function returns cause value.

func (Principal_SetValidationError) Error Uses

func (e Principal_SetValidationError) Error() string

Error satisfies the builtin error interface

func (Principal_SetValidationError) ErrorName Uses

func (e Principal_SetValidationError) ErrorName() string

ErrorName returns error name.

func (Principal_SetValidationError) Field Uses

func (e Principal_SetValidationError) Field() string

Field function returns field value.

func (Principal_SetValidationError) Key Uses

func (e Principal_SetValidationError) Key() bool

Key function returns key value.

func (Principal_SetValidationError) Reason Uses

func (e Principal_SetValidationError) Reason() string

Reason function returns reason value.

type Principal_UrlPath Uses

type Principal_UrlPath struct {
    // A URL path on the incoming HTTP request. Only available for HTTP.
    UrlPath *v4alpha1.PathMatcher `protobuf:"bytes,9,opt,name=url_path,json=urlPath,proto3,oneof"`
}

type RBAC Uses

type RBAC struct {

    // The action to take if a policy matches. Every action either allows or denies a request,
    // and can also carry out action-specific operations.
    //
    // Actions:
    //
    //  * ALLOW: Allows the request if and only if there is a policy that matches
    //    the request.
    //  * DENY: Allows the request if and only if there are no policies that
    //    match the request.
    //  * LOG: Allows all requests. If at least one policy matches, the dynamic
    //    metadata key `access_log_hint` is set to the value `true` under the shared
    //    key namespace 'envoy.common'. If no policies match, it is set to `false`.
    //    Other actions do not modify this key.
    //
    Action RBAC_Action `protobuf:"varint,1,opt,name=action,proto3,enum=envoy.config.rbac.v4alpha.RBAC_Action" json:"action,omitempty"`
    // Maps from policy name to policy. A match occurs when at least one policy matches the request.
    Policies map[string]*Policy `protobuf:"bytes,2,rep,name=policies,proto3" json:"policies,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
    // contains filtered or unexported fields
}

Role Based Access Control (RBAC) provides service-level and method-level access control for a service. RBAC policies are additive. The policies are examined in order. Requests are allowed or denied based on the `action` and whether a matching policy is found. For instance, if the action is ALLOW and a matching policy is found the request should be allowed.

RBAC can also be used to make access logging decisions by communicating with access loggers through dynamic metadata. When the action is LOG and at least one policy matches, the `access_log_hint` value in the shared key namespace 'envoy.common' is set to `true` indicating the request should be logged.

Here is an example of RBAC configuration. It has two policies:

* Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so

does "cluster.local/ns/default/sa/superuser".

* Any user can read ("GET") the service at paths with prefix "/products", so long as the

 destination port is either 80 or 443.

.. code-block:: yaml

 action: ALLOW
 policies:
   "service-admin":
     permissions:
       - any: true
     principals:
       - authenticated:
           principal_name:
             exact: "cluster.local/ns/default/sa/admin"
       - authenticated:
           principal_name:
             exact: "cluster.local/ns/default/sa/superuser"
   "product-viewer":
     permissions:
         - and_rules:
             rules:
               - header: { name: ":method", exact_match: "GET" }
               - url_path:
                   path: { prefix: "/products" }
               - or_rules:
                   rules:
                     - destination_port: 80
                     - destination_port: 443
     principals:
       - any: true

func (*RBAC) Descriptor Uses

func (*RBAC) Descriptor() ([]byte, []int)

Deprecated: Use RBAC.ProtoReflect.Descriptor instead.

func (*RBAC) GetAction Uses

func (x *RBAC) GetAction() RBAC_Action

func (*RBAC) GetPolicies Uses

func (x *RBAC) GetPolicies() map[string]*Policy

func (*RBAC) ProtoMessage Uses

func (*RBAC) ProtoMessage()

func (*RBAC) ProtoReflect Uses

func (x *RBAC) ProtoReflect() protoreflect.Message

func (*RBAC) Reset Uses

func (x *RBAC) Reset()

func (*RBAC) String Uses

func (x *RBAC) String() string

func (*RBAC) Validate Uses

func (m *RBAC) Validate() error

Validate checks the field values on RBAC with the rules defined in the proto definition for this message. If any rules are violated, an error is returned.

type RBACValidationError Uses

type RBACValidationError struct {
    // contains filtered or unexported fields
}

RBACValidationError is the validation error returned by RBAC.Validate if the designated constraints aren't met.

func (RBACValidationError) Cause Uses

func (e RBACValidationError) Cause() error

Cause function returns cause value.

func (RBACValidationError) Error Uses

func (e RBACValidationError) Error() string

Error satisfies the builtin error interface

func (RBACValidationError) ErrorName Uses

func (e RBACValidationError) ErrorName() string

ErrorName returns error name.

func (RBACValidationError) Field Uses

func (e RBACValidationError) Field() string

Field function returns field value.

func (RBACValidationError) Key Uses

func (e RBACValidationError) Key() bool

Key function returns key value.

func (RBACValidationError) Reason Uses

func (e RBACValidationError) Reason() string

Reason function returns reason value.

type RBAC_Action Uses

type RBAC_Action int32

Should we do safe-list or block-list style access control?

const (
    // The policies grant access to principals. The rest are denied. This is safe-list style
    // access control. This is the default type.
    RBAC_ALLOW RBAC_Action = 0
    // The policies deny access to principals. The rest are allowed. This is block-list style
    // access control.
    RBAC_DENY RBAC_Action = 1
    // The policies set the `access_log_hint` dynamic metadata key based on if requests match.
    // All requests are allowed.
    RBAC_LOG RBAC_Action = 2
)

func (RBAC_Action) Descriptor Uses

func (RBAC_Action) Descriptor() protoreflect.EnumDescriptor

func (RBAC_Action) Enum Uses

func (x RBAC_Action) Enum() *RBAC_Action

func (RBAC_Action) EnumDescriptor Uses

func (RBAC_Action) EnumDescriptor() ([]byte, []int)

Deprecated: Use RBAC_Action.Descriptor instead.

func (RBAC_Action) Number Uses

func (x RBAC_Action) Number() protoreflect.EnumNumber

func (RBAC_Action) String Uses

func (x RBAC_Action) String() string

func (RBAC_Action) Type Uses

func (RBAC_Action) Type() protoreflect.EnumType

Package envoy_config_rbac_v4alpha imports 22 packages (graph) and is imported by 8 packages. Updated 2021-01-08. Refresh now. Tools for package owners.