Class RBAC

java.lang.Object
com.google.protobuf.AbstractMessageLite
com.google.protobuf.AbstractMessage
com.google.protobuf.GeneratedMessage
io.envoyproxy.envoy.config.rbac.v3.RBAC
All Implemented Interfaces:
com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, Serializable
@Generated public final class RBAC extends com.google.protobuf.GeneratedMessage implements RBACOrBuilder
Role Based Access Control (RBAC) provides service-level and method-level access control for a
service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
found. For instance, if the action is ALLOW and a matching policy is found the request should be
allowed.

RBAC can also be used to make access logging decisions by communicating with access loggers
through dynamic metadata. When the action is LOG and at least one policy matches, the
``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
the request should be logged.

Here is an example of RBAC configuration. It has two policies:

* Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
does "cluster.local/ns/default/sa/superuser".

* Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
destination port is either 80 or 443.

.. code-block:: yaml

action: ALLOW
policies:
"service-admin":
permissions:
- any: true
principals:
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/admin"
- authenticated:
principal_name:
exact: "cluster.local/ns/default/sa/superuser"
"product-viewer":
permissions:
- and_rules:
rules:
- header:
name: ":method"
string_match:
exact: "GET"
- url_path:
path: { prefix: "/products" }
- or_rules:
rules:
- destination_port: 80
- destination_port: 443
principals:
- any: true
Protobuf type envoy.config.rbac.v3.RBAC
See Also:

  • Nested Class Summary

    Nested Classes
    Modifier and Type
    Class
    Description
    static enum 
    RBAC.Action
    Should we do safe-list or block-list style access control?
    static final class 
    RBAC.AuditLoggingOptions
    Protobuf type envoy.config.rbac.v3.RBAC.AuditLoggingOptions
    static interface 
    RBAC.AuditLoggingOptionsOrBuilder
     
    static final class 
    RBAC.Builder
    Role Based Access Control (RBAC) provides service-level and method-level access control for a service.
    private static final class 
    RBAC.PoliciesDefaultEntryHolder
     

    Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessage

    com.google.protobuf.GeneratedMessage.ExtendableBuilder<MessageT,BuilderT>, com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>, com.google.protobuf.GeneratedMessage.ExtendableMessageOrBuilder<MessageT>, com.google.protobuf.GeneratedMessage.FieldAccessorTable, com.google.protobuf.GeneratedMessage.GeneratedExtension<ContainingT, T>, com.google.protobuf.GeneratedMessage.UnusedPrivateParameter

    Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessage

    com.google.protobuf.AbstractMessage.BuilderParent

    Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

    com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

  • Field Summary

    Fields
    Modifier and Type
    Field
    Description
    private int
    action_
     
    static final int
    ACTION_FIELD_NUMBER
     
    static final int
    AUDIT_LOGGING_OPTIONS_FIELD_NUMBER
     
    private RBAC.AuditLoggingOptions
    auditLoggingOptions_
     
    private int
    bitField0_
     
    private static final RBAC
    DEFAULT_INSTANCE
     
    private byte
    memoizedIsInitialized
     
    private static final com.google.protobuf.Parser<RBAC>
    PARSER
     
    private com.google.protobuf.MapField<String,Policy>
    policies_
     
    static final int
    POLICIES_FIELD_NUMBER
     
    private static final long
    serialVersionUID
     

    Fields inherited from class com.google.protobuf.GeneratedMessage

    alwaysUseFieldBuilders, loggedPre22TypeNames, unknownFields

    Fields inherited from class com.google.protobuf.AbstractMessage

    memoizedSize

    Fields inherited from class com.google.protobuf.AbstractMessageLite

    memoizedHashCode

  • Constructor Summary

    Constructors
    Modifier
    Constructor
    Description
    private
    RBAC()
     
    private
    RBAC(com.google.protobuf.GeneratedMessage.Builder<?> builder)
     

  • Method Summary

    Modifier and Type
    Method
    Description
    boolean
    containsPolicies(String key)
    Maps from policy name to policy.
    boolean
    equals(Object obj)
     
    RBAC.Action
    getAction()
    The action to take if a policy matches.
    int
    getActionValue()
    The action to take if a policy matches.
    RBAC.AuditLoggingOptions
    getAuditLoggingOptions()
    Audit logging options that include the condition for audit logging to happen and audit logger configurations.
    RBAC.AuditLoggingOptionsOrBuilder
    getAuditLoggingOptionsOrBuilder()
    Audit logging options that include the condition for audit logging to happen and audit logger configurations.
    static RBAC
    getDefaultInstance()
     
    RBAC
    getDefaultInstanceForType()
     
    static final com.google.protobuf.Descriptors.Descriptor
    getDescriptor()
     
    com.google.protobuf.Descriptors.Descriptor
    getDescriptorForType()
     
    com.google.protobuf.Parser<RBAC>
    getParserForType()
     
    Map<String,Policy>
    getPolicies()
    Deprecated.
    int
    getPoliciesCount()
    Maps from policy name to policy.
    Map<String,Policy>
    getPoliciesMap()
    Maps from policy name to policy.
    Policy
    getPoliciesOrDefault(String key, Policy defaultValue)
    Maps from policy name to policy.
    Policy
    getPoliciesOrThrow(String key)
    Maps from policy name to policy.
    int
    getSerializedSize()
     
    boolean
    hasAuditLoggingOptions()
    Audit logging options that include the condition for audit logging to happen and audit logger configurations.
    int
    hashCode()
     
    protected com.google.protobuf.GeneratedMessage.FieldAccessorTable
    internalGetFieldAccessorTable()
     
    protected com.google.protobuf.MapFieldReflectionAccessor
    internalGetMapFieldReflection(int number)
     
    private com.google.protobuf.MapField<String,Policy>
    internalGetPolicies()
     
    final boolean
    isInitialized()
     
    static RBAC.Builder
    newBuilder()
     
    static RBAC.Builder
    newBuilder(RBAC prototype)
     
    RBAC.Builder
    newBuilderForType()
     
    protected RBAC.Builder
    newBuilderForType(com.google.protobuf.AbstractMessage.BuilderParent parent)
     
    static RBAC
    parseDelimitedFrom(InputStream input)
     
    static RBAC
    parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static RBAC
    parseFrom(byte[] data)
     
    static RBAC
    parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static RBAC
    parseFrom(com.google.protobuf.ByteString data)
     
    static RBAC
    parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static RBAC
    parseFrom(com.google.protobuf.CodedInputStream input)
     
    static RBAC
    parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static RBAC
    parseFrom(InputStream input)
     
    static RBAC
    parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static RBAC
    parseFrom(ByteBuffer data)
     
    static RBAC
    parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)
     
    static com.google.protobuf.Parser<RBAC>
    parser()
     
    RBAC.Builder
    toBuilder()
     
    void
    writeTo(com.google.protobuf.CodedOutputStream output)
     

    Methods inherited from class com.google.protobuf.GeneratedMessage

    computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyList, emptyLongList, getAllFields, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, isStringEmpty, makeExtensionsImmutable, makeMutableCopy, makeMutableCopy, newFileScopedGeneratedExtension, newInstance, newMessageScopedGeneratedExtension, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag

    Methods inherited from class com.google.protobuf.AbstractMessage

    findInitializationErrors, getInitializationErrorString, hashFields, toString

    Methods inherited from class com.google.protobuf.AbstractMessageLite

    addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from class Object

    clone, finalize, getClass, notify, notifyAll, wait, wait, wait

    Methods inherited from interface com.google.protobuf.MessageLite

    toByteArray, toByteString, writeDelimitedTo, writeTo

    Methods inherited from interface com.google.protobuf.MessageOrBuilder

    findInitializationErrors, getAllFields, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

  • Field Details

    • serialVersionUID

      private static final long serialVersionUID
      See Also:

    • bitField0_

      private int bitField0_

    • ACTION_FIELD_NUMBER

      public static final int ACTION_FIELD_NUMBER
      See Also:

    • action_

      private int action_

    • POLICIES_FIELD_NUMBER

      public static final int POLICIES_FIELD_NUMBER
      See Also:

    • policies_

      private com.google.protobuf.MapField<String,Policy> policies_

    • AUDIT_LOGGING_OPTIONS_FIELD_NUMBER

      public static final int AUDIT_LOGGING_OPTIONS_FIELD_NUMBER
      See Also:

    • auditLoggingOptions_

      private RBAC.AuditLoggingOptions auditLoggingOptions_

    • memoizedIsInitialized

      private byte memoizedIsInitialized

    • DEFAULT_INSTANCE

      private static final RBAC DEFAULT_INSTANCE

    • PARSER

      private static final com.google.protobuf.Parser<RBAC> PARSER

  • Constructor Details

    • RBAC

      private RBAC(com.google.protobuf.GeneratedMessage.Builder<?> builder)

    • RBAC

      private RBAC()

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessage

    • internalGetMapFieldReflection

      protected com.google.protobuf.MapFieldReflectionAccessor internalGetMapFieldReflection(int number)
      Overrides:
      internalGetMapFieldReflection in class com.google.protobuf.GeneratedMessage

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage

    • getActionValue

      public int getActionValue()
      The action to take if a policy matches. Every action either allows or denies a request,
and can also carry out action-specific operations.

Actions:

* ``ALLOW``: Allows the request if and only if there is a policy that matches
the request.
* ``DENY``: Allows the request if and only if there are no policies that
match the request.
* ``LOG``: Allows all requests. If at least one policy matches, the dynamic
metadata key ``access_log_hint`` is set to the value ``true`` under the shared
key namespace ``envoy.common``. If no policies match, it is set to ``false``.
Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Specified by:
      getActionValue in interface RBACOrBuilder
      Returns:
      The enum numeric value on the wire for action.

    • getAction

      public RBAC.Action getAction()
      The action to take if a policy matches. Every action either allows or denies a request,
and can also carry out action-specific operations.

Actions:

* ``ALLOW``: Allows the request if and only if there is a policy that matches
the request.
* ``DENY``: Allows the request if and only if there are no policies that
match the request.
* ``LOG``: Allows all requests. If at least one policy matches, the dynamic
metadata key ``access_log_hint`` is set to the value ``true`` under the shared
key namespace ``envoy.common``. If no policies match, it is set to ``false``.
Other actions do not modify this key.
      .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
      Specified by:
      getAction in interface RBACOrBuilder
      Returns:
      The action.

    • internalGetPolicies

      private com.google.protobuf.MapField<String,Policy> internalGetPolicies()

    • getPoliciesCount

      public int getPoliciesCount()
      Description copied from interface: RBACOrBuilder
      Maps from policy name to policy. A match occurs when at least one policy matches the request.
The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesCount in interface RBACOrBuilder

    • containsPolicies

      public boolean containsPolicies(String key)
      Maps from policy name to policy. A match occurs when at least one policy matches the request.
The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      containsPolicies in interface RBACOrBuilder

    • getPolicies

      @Deprecated public Map<String,Policy> getPolicies()
      Deprecated.
      Use getPoliciesMap() instead.
      Specified by:
      getPolicies in interface RBACOrBuilder

    • getPoliciesMap

      public Map<String,Policy> getPoliciesMap()
      Maps from policy name to policy. A match occurs when at least one policy matches the request.
The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesMap in interface RBACOrBuilder

    • getPoliciesOrDefault

      public Policy getPoliciesOrDefault(String key, Policy defaultValue)
      Maps from policy name to policy. A match occurs when at least one policy matches the request.
The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesOrDefault in interface RBACOrBuilder

    • getPoliciesOrThrow

      public Policy getPoliciesOrThrow(String key)
      Maps from policy name to policy. A match occurs when at least one policy matches the request.
The policies are evaluated in lexicographic order of the policy name.
      map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      Specified by:
      getPoliciesOrThrow in interface RBACOrBuilder

    • hasAuditLoggingOptions

      public boolean hasAuditLoggingOptions()
      Audit logging options that include the condition for audit logging to happen
and audit logger configurations.

[#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      Specified by:
      hasAuditLoggingOptions in interface RBACOrBuilder
      Returns:
      Whether the auditLoggingOptions field is set.

    • getAuditLoggingOptions

      public RBAC.AuditLoggingOptions getAuditLoggingOptions()
      Audit logging options that include the condition for audit logging to happen
and audit logger configurations.

[#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      Specified by:
      getAuditLoggingOptions in interface RBACOrBuilder
      Returns:
      The auditLoggingOptions.

    • getAuditLoggingOptionsOrBuilder

      public RBAC.AuditLoggingOptionsOrBuilder getAuditLoggingOptionsOrBuilder()
      Audit logging options that include the condition for audit logging to happen
and audit logger configurations.

[#not-implemented-hide:]
      .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      Specified by:
      getAuditLoggingOptionsOrBuilder in interface RBACOrBuilder

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessage

    • writeTo

      public void writeTo(com.google.protobuf.CodedOutputStream output) throws IOException
      Specified by:
      writeTo in interface com.google.protobuf.MessageLite
      Overrides:
      writeTo in class com.google.protobuf.GeneratedMessage
      Throws:
      IOException

    • getSerializedSize

      public int getSerializedSize()
      Specified by:
      getSerializedSize in interface com.google.protobuf.MessageLite
      Overrides:
      getSerializedSize in class com.google.protobuf.GeneratedMessage

    • equals

      public boolean equals(Object obj)
      Specified by:
      equals in interface com.google.protobuf.Message
      Overrides:
      equals in class com.google.protobuf.AbstractMessage

    • hashCode

      public int hashCode()
      Specified by:
      hashCode in interface com.google.protobuf.Message
      Overrides:
      hashCode in class com.google.protobuf.AbstractMessage

    • parseFrom

      public static RBAC parseFrom(ByteBuffer data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static RBAC parseFrom(ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static RBAC parseFrom(com.google.protobuf.ByteString data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static RBAC parseFrom(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static RBAC parseFrom(byte[] data) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static RBAC parseFrom(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws com.google.protobuf.InvalidProtocolBufferException
      Throws:
      com.google.protobuf.InvalidProtocolBufferException

    • parseFrom

      public static RBAC parseFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static RBAC parseFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static RBAC parseDelimitedFrom(InputStream input) throws IOException
      Throws:
      IOException

    • parseDelimitedFrom

      public static RBAC parseDelimitedFrom(InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • parseFrom

      public static RBAC parseFrom(com.google.protobuf.CodedInputStream input) throws IOException
      Throws:
      IOException

    • parseFrom

      public static RBAC parseFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Throws:
      IOException

    • newBuilderForType

      public RBAC.Builder newBuilderForType()
      Specified by:
      newBuilderForType in interface com.google.protobuf.Message
      Specified by:
      newBuilderForType in interface com.google.protobuf.MessageLite

    • newBuilder

      public static RBAC.Builder newBuilder()

    • newBuilder

      public static RBAC.Builder newBuilder(RBAC prototype)

    • toBuilder

      public RBAC.Builder toBuilder()
      Specified by:
      toBuilder in interface com.google.protobuf.Message
      Specified by:
      toBuilder in interface com.google.protobuf.MessageLite

    • newBuilderForType

      protected RBAC.Builder newBuilderForType(com.google.protobuf.AbstractMessage.BuilderParent parent)
      Overrides:
      newBuilderForType in class com.google.protobuf.AbstractMessage

    • getDefaultInstance

      public static RBAC getDefaultInstance()

    • parser

      public static com.google.protobuf.Parser<RBAC> parser()

    • getParserForType

      public com.google.protobuf.Parser<RBAC> getParserForType()
      Specified by:
      getParserForType in interface com.google.protobuf.Message
      Specified by:
      getParserForType in interface com.google.protobuf.MessageLite
      Overrides:
      getParserForType in class com.google.protobuf.GeneratedMessage

    • getDefaultInstanceForType

      public RBAC getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder