.. _envoy_v3_api_file_envoy/config/rbac/v3/rbac.proto:
Role Based Access Control (RBAC)
================================
.. _envoy_v3_api_msg_config.rbac.v3.RBAC:
config.rbac.v3.RBAC
-------------------
`[config.rbac.v3.RBAC proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L63>`_
Role Based Access Control (RBAC) provides service-level and method-level access control for a
service. RBAC policies are additive. The policies are examined in order. A request is allowed
once a matching policy is found (suppose the `action` is ALLOW).
Here is an example of RBAC configuration. It has two policies:
* Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
does "cluster.local/ns/default/sa/superuser".
* Any user can read ("GET") the service at paths with prefix "/products", so long as the
destination port is either 80 or 443.
.. code-block:: yaml
action: ALLOW
policies:
"service-admin":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/superuser"
"product-viewer":
permissions:
- and_rules:
rules:
- header: { name: ":method", exact_match: "GET" }
- url_path:
path: { prefix: "/products" }
- or_rules:
rules:
- destination_port: 80
- destination_port: 443
principals:
- any: true
.. code-block:: json
{
"action": "...",
"policies": "{...}"
}
.. _envoy_v3_api_field_config.rbac.v3.RBAC.action:
action
(:ref:`config.rbac.v3.RBAC.Action <envoy_v3_api_enum_config.rbac.v3.RBAC.Action>`) The action to take if a policy matches. The request is allowed if and only if:
* `action` is "ALLOWED" and at least one policy matches
* `action` is "DENY" and none of the policies match
.. _envoy_v3_api_field_config.rbac.v3.RBAC.policies:
policies
(map<`string <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_, :ref:`config.rbac.v3.Policy <envoy_v3_api_msg_config.rbac.v3.Policy>`>) Maps from policy name to policy. A match occurs when at least one policy matches the request.
.. _envoy_v3_api_enum_config.rbac.v3.RBAC.Action:
Enum config.rbac.v3.RBAC.Action
-------------------------------
`[config.rbac.v3.RBAC.Action proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L67>`_
Should we do safe-list or block-list style access control?
.. _envoy_v3_api_enum_value_config.rbac.v3.RBAC.Action.ALLOW:
ALLOW
*(DEFAULT)* The policies grant access to principals. The rest is denied. This is safe-list style
access control. This is the default type.
.. _envoy_v3_api_enum_value_config.rbac.v3.RBAC.Action.DENY:
DENY
The policies deny access to principals. The rest is allowed. This is block-list style
access control.
.. _envoy_v3_api_msg_config.rbac.v3.Policy:
config.rbac.v3.Policy
---------------------
`[config.rbac.v3.Policy proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L90>`_
Policy specifies a role and the principals that are assigned/denied the role. A policy matches if
and only if at least one of its permissions match the action taking place AND at least one of its
principals match the downstream AND the condition is true if specified.
.. code-block:: json
{
"permissions": [],
"principals": [],
"condition": "{...}"
}
.. _envoy_v3_api_field_config.rbac.v3.Policy.permissions:
permissions
(:ref:`config.rbac.v3.Permission <envoy_v3_api_msg_config.rbac.v3.Permission>`, *REQUIRED*) Required. The set of permissions that define a role. Each permission is matched with OR
semantics. To match all actions for this policy, a single Permission with the `any` field set
to true should be used.
.. _envoy_v3_api_field_config.rbac.v3.Policy.principals:
principals
(:ref:`config.rbac.v3.Principal <envoy_v3_api_msg_config.rbac.v3.Principal>`, *REQUIRED*) Required. The set of principals that are assigned/denied the role based on “action”. Each
principal is matched with OR semantics. To match all downstreams for this policy, a single
Principal with the `any` field set to true should be used.
.. _envoy_v3_api_field_config.rbac.v3.Policy.condition:
condition
(.google.api.expr.v1alpha1.Expr) An optional symbolic expression specifying an access control
:ref:`condition <arch_overview_condition>`. The condition is combined
with the permissions and the principals as a clause with AND semantics.
.. _envoy_v3_api_msg_config.rbac.v3.Permission:
config.rbac.v3.Permission
-------------------------
`[config.rbac.v3.Permission proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L111>`_
Permission defines an action (or actions) that a principal can take.
.. code-block:: json
{
"and_rules": "{...}",
"or_rules": "{...}",
"any": "...",
"header": "{...}",
"url_path": "{...}",
"destination_ip": "{...}",
"destination_port": "...",
"metadata": "{...}",
"not_rule": "{...}",
"requested_server_name": "{...}"
}
.. _envoy_v3_api_field_config.rbac.v3.Permission.and_rules:
and_rules
(:ref:`config.rbac.v3.Permission.Set <envoy_v3_api_msg_config.rbac.v3.Permission.Set>`) A set of rules that all must match in order to define the action.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.or_rules:
or_rules
(:ref:`config.rbac.v3.Permission.Set <envoy_v3_api_msg_config.rbac.v3.Permission.Set>`) A set of rules where at least one must match in order to define the action.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.any:
any
(`bool <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_) When any is set, it matches any action.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.header:
header
(:ref:`config.route.v3.HeaderMatcher <envoy_v3_api_msg_config.route.v3.HeaderMatcher>`) A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
available for HTTP request.
Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
field if you want to match the URL path without the query and fragment string.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.url_path:
url_path
(:ref:`type.matcher.v3.PathMatcher <envoy_v3_api_msg_type.matcher.v3.PathMatcher>`) A URL path on the incoming HTTP request. Only available for HTTP.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.destination_ip:
destination_ip
(:ref:`config.core.v3.CidrRange <envoy_v3_api_msg_config.core.v3.CidrRange>`) A CIDR block that describes the destination IP.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.destination_port:
destination_port
(`uint32 <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_) A port number that describes the destination port connecting to.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.metadata:
metadata
(:ref:`type.matcher.v3.MetadataMatcher <envoy_v3_api_msg_type.matcher.v3.MetadataMatcher>`) Metadata that describes additional information about the action.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.not_rule:
not_rule
(:ref:`config.rbac.v3.Permission <envoy_v3_api_msg_config.rbac.v3.Permission>`) Negates matching the provided permission. For instance, if the value of `not_rule` would
match, this permission would not match. Conversely, if the value of `not_rule` would not
match, this permission would match.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name:
requested_server_name
(:ref:`type.matcher.v3.StringMatcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`) The request server from the client's connection request. This is
typically TLS SNI.
.. attention::
The behavior of this field may be affected by how Envoy is configured
as explained below.
* If the :ref:`TLS Inspector <config_listener_filters_tls_inspector>`
filter is not added, and if a `FilterChainMatch` is not defined for
the :ref:`server name <envoy_v3_api_field_config.listener.v3.FilterChainMatch.server_names>`,
a TLS connection's requested SNI server name will be treated as if it
wasn't present.
* A :ref:`listener filter <arch_overview_listener_filters>` may
overwrite a connection's requested server name within Envoy.
Please refer to :ref:`this FAQ entry <faq_how_to_setup_sni>` to learn to
setup SNI.
Precisely one of :ref:`and_rules <envoy_v3_api_field_config.rbac.v3.Permission.and_rules>`, :ref:`or_rules <envoy_v3_api_field_config.rbac.v3.Permission.or_rules>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Permission.any>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Permission.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Permission.url_path>`, :ref:`destination_ip <envoy_v3_api_field_config.rbac.v3.Permission.destination_ip>`, :ref:`destination_port <envoy_v3_api_field_config.rbac.v3.Permission.destination_port>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Permission.metadata>`, :ref:`not_rule <envoy_v3_api_field_config.rbac.v3.Permission.not_rule>`, :ref:`requested_server_name <envoy_v3_api_field_config.rbac.v3.Permission.requested_server_name>` must be set.
.. _envoy_v3_api_msg_config.rbac.v3.Permission.Set:
config.rbac.v3.Permission.Set
-----------------------------
`[config.rbac.v3.Permission.Set proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L116>`_
Used in the `and_rules` and `or_rules` fields in the `rule` oneof. Depending on the context,
each are applied with the associated behavior.
.. code-block:: json
{
"rules": []
}
.. _envoy_v3_api_field_config.rbac.v3.Permission.Set.rules:
rules
(:ref:`config.rbac.v3.Permission <envoy_v3_api_msg_config.rbac.v3.Permission>`, *REQUIRED*)
.. _envoy_v3_api_msg_config.rbac.v3.Principal:
config.rbac.v3.Principal
------------------------
`[config.rbac.v3.Principal proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L183>`_
Principal defines an identity or a group of identities for a downstream subject.
.. code-block:: json
{
"and_ids": "{...}",
"or_ids": "{...}",
"any": "...",
"authenticated": "{...}",
"source_ip": "{...}",
"direct_remote_ip": "{...}",
"remote_ip": "{...}",
"header": "{...}",
"url_path": "{...}",
"metadata": "{...}",
"not_id": "{...}"
}
.. _envoy_v3_api_field_config.rbac.v3.Principal.and_ids:
and_ids
(:ref:`config.rbac.v3.Principal.Set <envoy_v3_api_msg_config.rbac.v3.Principal.Set>`) A set of identifiers that all must match in order to define the downstream.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.or_ids:
or_ids
(:ref:`config.rbac.v3.Principal.Set <envoy_v3_api_msg_config.rbac.v3.Principal.Set>`) A set of identifiers at least one must match in order to define the downstream.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.any:
any
(`bool <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_) When any is set, it matches any downstream.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.authenticated:
authenticated
(:ref:`config.rbac.v3.Principal.Authenticated <envoy_v3_api_msg_config.rbac.v3.Principal.Authenticated>`) Authenticated attributes that identify the downstream.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.source_ip:
source_ip
(:ref:`config.core.v3.CidrRange <envoy_v3_api_msg_config.core.v3.CidrRange>`) A CIDR block that describes the downstream IP.
This address will honor proxy protocol, but will not honor XFF.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip:
direct_remote_ip
(:ref:`config.core.v3.CidrRange <envoy_v3_api_msg_config.core.v3.CidrRange>`) A CIDR block that describes the downstream remote/origin address.
Note: This is always the physical peer even if the
:ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>` is inferred
from for example the x-forwarder-for header, proxy protocol, etc.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.remote_ip:
remote_ip
(:ref:`config.core.v3.CidrRange <envoy_v3_api_msg_config.core.v3.CidrRange>`) A CIDR block that describes the downstream remote/origin address.
Note: This may not be the physical peer and could be different from the
:ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`.
E.g, if the remote ip is inferred from for example the x-forwarder-for header,
proxy protocol, etc.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.header:
header
(:ref:`config.route.v3.HeaderMatcher <envoy_v3_api_msg_config.route.v3.HeaderMatcher>`) A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
available for HTTP request.
Note: the pseudo-header :path includes the query and fragment string. Use the `url_path`
field if you want to match the URL path without the query and fragment string.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.url_path:
url_path
(:ref:`type.matcher.v3.PathMatcher <envoy_v3_api_msg_type.matcher.v3.PathMatcher>`) A URL path on the incoming HTTP request. Only available for HTTP.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.metadata:
metadata
(:ref:`type.matcher.v3.MetadataMatcher <envoy_v3_api_msg_type.matcher.v3.MetadataMatcher>`) Metadata that describes additional information about the principal.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_field_config.rbac.v3.Principal.not_id:
not_id
(:ref:`config.rbac.v3.Principal <envoy_v3_api_msg_config.rbac.v3.Principal>`) Negates matching the provided principal. For instance, if the value of `not_id` would match,
this principal would not match. Conversely, if the value of `not_id` would not match, this
principal would match.
Precisely one of :ref:`and_ids <envoy_v3_api_field_config.rbac.v3.Principal.and_ids>`, :ref:`or_ids <envoy_v3_api_field_config.rbac.v3.Principal.or_ids>`, :ref:`any <envoy_v3_api_field_config.rbac.v3.Principal.any>`, :ref:`authenticated <envoy_v3_api_field_config.rbac.v3.Principal.authenticated>`, :ref:`source_ip <envoy_v3_api_field_config.rbac.v3.Principal.source_ip>`, :ref:`direct_remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.direct_remote_ip>`, :ref:`remote_ip <envoy_v3_api_field_config.rbac.v3.Principal.remote_ip>`, :ref:`header <envoy_v3_api_field_config.rbac.v3.Principal.header>`, :ref:`url_path <envoy_v3_api_field_config.rbac.v3.Principal.url_path>`, :ref:`metadata <envoy_v3_api_field_config.rbac.v3.Principal.metadata>`, :ref:`not_id <envoy_v3_api_field_config.rbac.v3.Principal.not_id>` must be set.
.. _envoy_v3_api_msg_config.rbac.v3.Principal.Set:
config.rbac.v3.Principal.Set
----------------------------
`[config.rbac.v3.Principal.Set proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L188>`_
Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context,
each are applied with the associated behavior.
.. code-block:: json
{
"ids": []
}
.. _envoy_v3_api_field_config.rbac.v3.Principal.Set.ids:
ids
(:ref:`config.rbac.v3.Principal <envoy_v3_api_msg_config.rbac.v3.Principal>`, *REQUIRED*)
.. _envoy_v3_api_msg_config.rbac.v3.Principal.Authenticated:
config.rbac.v3.Principal.Authenticated
--------------------------------------
`[config.rbac.v3.Principal.Authenticated proto] <https://github.com/envoyproxy/envoy/blob/v1.14.2/api/envoy/config/rbac/v3/rbac.proto#L196>`_
Authentication attributes for a downstream.
.. code-block:: json
{
"principal_name": "{...}"
}
.. _envoy_v3_api_field_config.rbac.v3.Principal.Authenticated.principal_name:
principal_name
(:ref:`type.matcher.v3.StringMatcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`) The name of the principal. If set, The URI SAN or DNS SAN in that order is used from the
certificate, otherwise the subject field is used. If unset, it applies to any user that is
authenticated.