Package io.envoyproxy.envoy.config.rbac.v3

Class RBAC.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>
com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
io.envoyproxy.envoy.config.rbac.v3.RBAC.Builder
All Implemented Interfaces:
com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, Cloneable
Enclosing class:
RBAC
public static final class RBAC.Builder extends com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder> implements RBACOrBuilder
 Role Based Access Control (RBAC) provides service-level and method-level access control for a
 service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
 found. For instance, if the action is ALLOW and a matching policy is found the request should be
 allowed.

 RBAC can also be used to make access logging decisions by communicating with access loggers
 through dynamic metadata. When the action is LOG and at least one policy matches, the
 ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
 the request should be logged.

 Here is an example of RBAC configuration. It has two policies:

 * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
 does "cluster.local/ns/default/sa/superuser".

 * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
 destination port is either 80 or 443.

 .. code-block:: yaml

 action: ALLOW
 policies:
 "service-admin":
 permissions:
 - any: true
 principals:
 - authenticated:
 principal_name:
 exact: "cluster.local/ns/default/sa/admin"
 - authenticated:
 principal_name:
 exact: "cluster.local/ns/default/sa/superuser"
 "product-viewer":
 permissions:
 - and_rules:
 rules:
 - header:
 name: ":method"
 string_match:
 exact: "GET"
 - url_path:
 path: { prefix: "/products" }
 - or_rules:
 rules:
 - destination_port: 80
 - destination_port: 443
 principals:
 - any: true
Protobuf type envoy.config.rbac.v3.RBAC

  • Field Details

  • Constructor Details

    • Builder

      private Builder()

    • Builder

      private Builder(com.google.protobuf.AbstractMessage.BuilderParent parent)

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetMapFieldReflection

      protected com.google.protobuf.MapFieldReflectionAccessor internalGetMapFieldReflection(int number)
      Overrides:
      internalGetMapFieldReflection in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>

    • internalGetMutableMapFieldReflection

      protected com.google.protobuf.MapFieldReflectionAccessor internalGetMutableMapFieldReflection(int number)
      Overrides:
      internalGetMutableMapFieldReflection in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>

    • maybeForceBuilderInitialization

      private void maybeForceBuilderInitialization()

    • clear

      public RBAC.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>

    • getDefaultInstanceForType

      public RBAC getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public RBAC build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public RBAC buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • buildPartial0

      private void buildPartial0(RBAC result)

    • mergeFrom

      public RBAC.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>

    • mergeFrom

      public RBAC.Builder mergeFrom(RBAC other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>

    • mergeFrom

      public RBAC.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>
      Throws:
      IOException

    • getActionValue

      public int getActionValue()
       The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.

 Actions:

 * ``ALLOW``: Allows the request if and only if there is a policy that matches
 the request.
 * ``DENY``: Allows the request if and only if there are no policies that
 match the request.
 * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
 metadata key ``access_log_hint`` is set to the value ``true`` under the shared
 key namespace ``envoy.common``. If no policies match, it is set to ``false``.
 Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Specified by:
      getActionValue in interface RBACOrBuilder
      Returns:
      The enum numeric value on the wire for action.

    • setActionValue

      public RBAC.Builder setActionValue(int value)
       The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.

 Actions:

 * ``ALLOW``: Allows the request if and only if there is a policy that matches
 the request.
 * ``DENY``: Allows the request if and only if there are no policies that
 match the request.
 * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
 metadata key ``access_log_hint`` is set to the value ``true`` under the shared
 key namespace ``envoy.common``. If no policies match, it is set to ``false``.
 Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Parameters:
      value - The enum numeric value on the wire for action to set.
      Returns:
      This builder for chaining.

    • getAction

      public RBAC.Action getAction()
       The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.

 Actions:

 * ``ALLOW``: Allows the request if and only if there is a policy that matches
 the request.
 * ``DENY``: Allows the request if and only if there are no policies that
 match the request.
 * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
 metadata key ``access_log_hint`` is set to the value ``true`` under the shared
 key namespace ``envoy.common``. If no policies match, it is set to ``false``.
 Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Specified by:
      getAction in interface RBACOrBuilder
      Returns:
      The action.

    • setAction

      public RBAC.Builder setAction(RBAC.Action value)
       The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.

 Actions:

 * ``ALLOW``: Allows the request if and only if there is a policy that matches
 the request.
 * ``DENY``: Allows the request if and only if there are no policies that
 match the request.
 * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
 metadata key ``access_log_hint`` is set to the value ``true`` under the shared
 key namespace ``envoy.common``. If no policies match, it is set to ``false``.
 Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Parameters:
      value - The action to set.
      Returns:
      This builder for chaining.

    • clearAction

      public RBAC.Builder clearAction()
       The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.

 Actions:

 * ``ALLOW``: Allows the request if and only if there is a policy that matches
 the request.
 * ``DENY``: Allows the request if and only if there are no policies that
 match the request.
 * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
 metadata key ``access_log_hint`` is set to the value ``true`` under the shared
 key namespace ``envoy.common``. If no policies match, it is set to ``false``.
 Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • internalGetPolicies

      private com.google.protobuf.MapFieldBuilder<String,PolicyOrBuilder,Policy,Policy.Builder> internalGetPolicies()

    • internalGetMutablePolicies

      private com.google.protobuf.MapFieldBuilder<String,PolicyOrBuilder,Policy,Policy.Builder> internalGetMutablePolicies()

    • getPoliciesCount

      public int getPoliciesCount()
      Description copied from interface: RBACOrBuilder
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesCount in interface RBACOrBuilder

    • containsPolicies

      public boolean containsPolicies(String key)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      containsPolicies in interface RBACOrBuilder

    • getPolicies

      @Deprecated public Map<String,Policy> getPolicies()
      Deprecated.
      Use getPoliciesMap() instead.
      Specified by:
      getPolicies in interface RBACOrBuilder

    • getPoliciesMap

      public Map<String,Policy> getPoliciesMap()
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesMap in interface RBACOrBuilder

    • getPoliciesOrDefault

      public Policy getPoliciesOrDefault(String key, Policy defaultValue)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesOrDefault in interface RBACOrBuilder

    • getPoliciesOrThrow

      public Policy getPoliciesOrThrow(String key)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesOrThrow in interface RBACOrBuilder

    • clearPolicies

      public RBAC.Builder clearPolicies()

    • removePolicies

      public RBAC.Builder removePolicies(String key)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;

    • getMutablePolicies

      @Deprecated public Map<String,Policy> getMutablePolicies()
      Deprecated.
      Use alternate mutation accessors instead.

    • putPolicies

      public RBAC.Builder putPolicies(String key, Policy value)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;

    • putAllPolicies

      public RBAC.Builder putAllPolicies(Map<String,Policy> values)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;

    • putPoliciesBuilderIfAbsent

      public Policy.Builder putPoliciesBuilderIfAbsent(String key)
       Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;

    • hasAuditLoggingOptions

      public boolean hasAuditLoggingOptions()
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      Specified by:
      hasAuditLoggingOptions in interface RBACOrBuilder
      Returns:
      Whether the auditLoggingOptions field is set.

    • getAuditLoggingOptions

      public RBAC.AuditLoggingOptions getAuditLoggingOptions()
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      Specified by:
      getAuditLoggingOptions in interface RBACOrBuilder
      Returns:
      The auditLoggingOptions.

    • setAuditLoggingOptions

      public RBAC.Builder setAuditLoggingOptions(RBAC.AuditLoggingOptions value)
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;

    • setAuditLoggingOptions

      public RBAC.Builder setAuditLoggingOptions(RBAC.AuditLoggingOptions.Builder builderForValue)
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;

    • mergeAuditLoggingOptions

      public RBAC.Builder mergeAuditLoggingOptions(RBAC.AuditLoggingOptions value)
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;

    • clearAuditLoggingOptions

      public RBAC.Builder clearAuditLoggingOptions()
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;

    • getAuditLoggingOptionsBuilder

      public RBAC.AuditLoggingOptions.Builder getAuditLoggingOptionsBuilder()
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;

    • getAuditLoggingOptionsOrBuilder

      public RBAC.AuditLoggingOptionsOrBuilder getAuditLoggingOptionsOrBuilder()
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      Specified by:
      getAuditLoggingOptionsOrBuilder in interface RBACOrBuilder

    • getAuditLoggingOptionsFieldBuilder

      private com.google.protobuf.SingleFieldBuilder<RBAC.AuditLoggingOptions,RBAC.AuditLoggingOptions.Builder,RBAC.AuditLoggingOptionsOrBuilder> getAuditLoggingOptionsFieldBuilder()
       Audit logging options that include the condition for audit logging to happen
 and audit logger configurations.

 [#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;