Package io.grpc.xds.internal.rbac.engine

Class GrpcAuthorizationEngine

java.lang.Object

io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine

public final class GrpcAuthorizationEngine
extends Object

Implementation of gRPC server access control based on envoy RBAC protocol: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto

One GrpcAuthorizationEngine is initialized with one action type and a list of policies. Policies are examined sequentially in order in an any match fashion, and the first matched policy will be returned. If not matched at all, the opposite action type is returned as a result.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	GrpcAuthorizationEngine.Action
static class	GrpcAuthorizationEngine.AlwaysTrueMatcher	Always true matcher.
static class	GrpcAuthorizationEngine.AndMatcher
static class	GrpcAuthorizationEngine.AuthConfig	Represents authorization config policy that the engine will evaluate against.
static class	GrpcAuthorizationEngine.AuthDecision	An authorization decision provides information about the decision type and the policy name identifier based on the authorization engine evaluation.
static class	GrpcAuthorizationEngine.AuthenticatedMatcher
static class	GrpcAuthorizationEngine.AuthHeaderMatcher
static class	GrpcAuthorizationEngine.DestinationIpMatcher
static class	GrpcAuthorizationEngine.DestinationPortMatcher
static class	GrpcAuthorizationEngine.DestinationPortRangeMatcher
private static final class	GrpcAuthorizationEngine.EvaluateArgs
static class	GrpcAuthorizationEngine.InvertMatcher	Negate matcher.
static interface	GrpcAuthorizationEngine.Matcher
static class	GrpcAuthorizationEngine.OrMatcher
static class	GrpcAuthorizationEngine.PathMatcher
static class	GrpcAuthorizationEngine.PolicyMatcher	Implements a top level GrpcAuthorizationEngine.Matcher for a single RBAC policy configuration per envoy protocol: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#config-rbac-v3-policy.
static class	GrpcAuthorizationEngine.RequestedServerNameMatcher
static class	GrpcAuthorizationEngine.SourceIpMatcher

Field Summary

Fields

Modifier and Type	Field	Description
private final GrpcAuthorizationEngine.AuthConfig	authConfig
private static final Logger	log

Constructor Summary

Constructors

Constructor	Description
GrpcAuthorizationEngine(GrpcAuthorizationEngine.AuthConfig authConfig)	Instantiated with envoy policyMatcher configuration.

Method Summary

Modifier and Type	Method	Description
GrpcAuthorizationEngine.AuthDecision	evaluate(io.grpc.Metadata metadata, io.grpc.ServerCall<?,?> serverCall)	Return the auth decision for the request argument against the policies.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

log

private static final Logger log

authConfig

private final GrpcAuthorizationEngine.AuthConfig authConfig

Constructor Details

GrpcAuthorizationEngine

public GrpcAuthorizationEngine(GrpcAuthorizationEngine.AuthConfig authConfig)

Instantiated with envoy policyMatcher configuration.

Method Details

evaluate

public GrpcAuthorizationEngine.AuthDecision evaluate(io.grpc.Metadata metadata,
 io.grpc.ServerCall<?,?> serverCall)

Return the auth decision for the request argument against the policies.