istio: istio.io/istio/pilot/pkg/security/authz/model Index | Files | Directories

package model

import "istio.io/istio/pilot/pkg/security/authz/model"

Index

Package Files

helper.go model.go permission.go principal.go util.go

Constants

const (
    // RBACHTTPFilterName is the name of the RBAC http filter in envoy.
    RBACHTTPFilterName = "envoy.filters.http.rbac"

    // RBACTCPFilterName is the name of the RBAC network filter in envoy.
    RBACTCPFilterName       = "envoy.filters.network.rbac"
    RBACTCPFilterStatPrefix = "tcp."
)

type KeyValues Uses

type KeyValues map[string][]string

type Model Uses

type Model struct {
    Permissions []Permission
    Principals  []Principal
}

Model includes a group of permission and principals defining the access control semantics. The Permissions specify a list of allowed actions, the Principals specify a list of allowed source identities. A request is allowed if it matches any of the permissions and any of the principals.

func NewModelV1alpha1 Uses

func NewModelV1alpha1(trustDomain string, trustDomainAliases []string, role *istio_rbac.ServiceRole, bindings []*istio_rbac.ServiceRoleBinding) *Model

NewModelV1alpha1 constructs a Model from a single ServiceRole and a list of ServiceRoleBinding. The ServiceRole is converted to the permission and the ServiceRoleBinding is converted to the principal.

func NewModelV1beta1 Uses

func NewModelV1beta1(trustDomain string, trustDomainAliases []string, rule *security.Rule) *Model

NewModelV1beta1 constructs a Model from v1beta1 Rule.

func (*Model) Generate Uses

func (m *Model) Generate(service *ServiceMetadata, forTCPFilter bool) *envoy_rbac.Policy

Generate generates the envoy RBAC filter policy based on the permission and principals specified in the model for the given service. This function only generates the policy if the constraints and properties specified in the model is matched with the given service. It also validates if the model is valid for TCP filter.

type Permission Uses

type Permission struct {
    Services    []string // For backward-compatible only.
    Hosts       []string
    NotHosts    []string
    Paths       []string
    NotPaths    []string
    Methods     []string
    NotMethods  []string
    Ports       []string
    NotPorts    []string
    Constraints []KeyValues
    AllowAll    bool
}

func (*Permission) Generate Uses

func (permission *Permission) Generate(forTCPFilter bool) (*envoy_rbac.Permission, error)

func (*Permission) Match Uses

func (permission *Permission) Match(service *ServiceMetadata) bool

Match returns True if the calling service's attributes and/or labels match to the ServiceRole constraints.

func (*Permission) ValidateForTCP Uses

func (permission *Permission) ValidateForTCP(forTCP bool) error

ValidateForTCP checks if the permission is valid for TCP filter. A permission is not valid for TCP filter if it includes any HTTP-only fields, e.g. hosts, paths, etc.

type Principal Uses

type Principal struct {
    Users             []string // For backward-compatible only.
    Names             []string
    NotNames          []string
    Group             string // For backward-compatible only.
    Groups            []string
    NotGroups         []string
    Namespaces        []string
    NotNamespaces     []string
    IPs               []string
    NotIPs            []string
    RequestPrincipals []string
    Properties        []KeyValues
    AllowAll          bool
}

func (*Principal) Generate Uses

func (principal *Principal) Generate(forTCPFilter bool) (*envoy_rbac.Principal, error)

func (*Principal) ValidateForTCP Uses

func (principal *Principal) ValidateForTCP(forTCP bool) error

ValidateForTCP checks if the principal is valid for TCP filter. A principal is not valid for TCP filter if it includes any HTTP-only fields, e.g. group, etc.

type ServiceMetadata Uses

type ServiceMetadata struct {
    Name       string            // full qualified service name, e.g. "productpage.default.svc.cluster.local
    Labels     map[string]string // labels of the service instance
    Attributes map[string]string // additional attributes of the service
}

ServiceMetadata is a collection of different kind of information about a service.

func NewServiceMetadata Uses

func NewServiceMetadata(name string, namespace string, service *model.ServiceInstance) (*ServiceMetadata, error)

func (*ServiceMetadata) GetNamespace Uses

func (sm *ServiceMetadata) GetNamespace() string

Directories

PathSynopsis
matcher

Package model imports 15 packages (graph) and is imported by 7 packages. Updated 2019-10-20. Refresh now. Tools for package owners.