Package io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3

Class ExtAuthz.Builder

java.lang.Object
com.google.protobuf.AbstractMessageLite.Builder
com.google.protobuf.AbstractMessage.Builder<BuilderT>
com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>
io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3.ExtAuthz.Builder
All Implemented Interfaces:
com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, ExtAuthzOrBuilder, Cloneable
Enclosing class:
ExtAuthz
public static final class ExtAuthz.Builder extends com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder> implements ExtAuthzOrBuilder
 [#next-free-field: 32]
Protobuf type envoy.extensions.filters.http.ext_authz.v3.ExtAuthz

  • Method Details

    • getDescriptor

      public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

    • internalGetFieldAccessorTable

      protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
      Specified by:
      internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • clear

      public ExtAuthz.Builder clear()
      Specified by:
      clear in interface com.google.protobuf.Message.Builder
      Specified by:
      clear in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clear in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • getDescriptorForType

      public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
      Specified by:
      getDescriptorForType in interface com.google.protobuf.Message.Builder
      Specified by:
      getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
      Overrides:
      getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • getDefaultInstanceForType

      public ExtAuthz getDefaultInstanceForType()
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
      Specified by:
      getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

    • build

      public ExtAuthz build()
      Specified by:
      build in interface com.google.protobuf.Message.Builder
      Specified by:
      build in interface com.google.protobuf.MessageLite.Builder

    • buildPartial

      public ExtAuthz buildPartial()
      Specified by:
      buildPartial in interface com.google.protobuf.Message.Builder
      Specified by:
      buildPartial in interface com.google.protobuf.MessageLite.Builder

    • clone

      public ExtAuthz.Builder clone()
      Specified by:
      clone in interface com.google.protobuf.Message.Builder
      Specified by:
      clone in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      clone in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • setField

      public ExtAuthz.Builder setField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      setField in interface com.google.protobuf.Message.Builder
      Overrides:
      setField in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • clearField

      public ExtAuthz.Builder clearField(com.google.protobuf.Descriptors.FieldDescriptor field)
      Specified by:
      clearField in interface com.google.protobuf.Message.Builder
      Overrides:
      clearField in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • clearOneof

      public ExtAuthz.Builder clearOneof(com.google.protobuf.Descriptors.OneofDescriptor oneof)
      Specified by:
      clearOneof in interface com.google.protobuf.Message.Builder
      Overrides:
      clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • setRepeatedField

      public ExtAuthz.Builder setRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, int index, Object value)
      Specified by:
      setRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • addRepeatedField

      public ExtAuthz.Builder addRepeatedField(com.google.protobuf.Descriptors.FieldDescriptor field, Object value)
      Specified by:
      addRepeatedField in interface com.google.protobuf.Message.Builder
      Overrides:
      addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • mergeFrom

      public ExtAuthz.Builder mergeFrom(com.google.protobuf.Message other)
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<ExtAuthz.Builder>

    • mergeFrom

      public ExtAuthz.Builder mergeFrom(ExtAuthz other)

    • isInitialized

      public final boolean isInitialized()
      Specified by:
      isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
      Overrides:
      isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • mergeFrom

      public ExtAuthz.Builder mergeFrom(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry) throws IOException
      Specified by:
      mergeFrom in interface com.google.protobuf.Message.Builder
      Specified by:
      mergeFrom in interface com.google.protobuf.MessageLite.Builder
      Overrides:
      mergeFrom in class com.google.protobuf.AbstractMessage.Builder<ExtAuthz.Builder>
      Throws:
      IOException

    • getServicesCase

      public ExtAuthz.ServicesCase getServicesCase()
      Specified by:
      getServicesCase in interface ExtAuthzOrBuilder

    • clearServices

      public ExtAuthz.Builder clearServices()

    • hasGrpcService

      public boolean hasGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;
      Specified by:
      hasGrpcService in interface ExtAuthzOrBuilder
      Returns:
      Whether the grpcService field is set.

    • getGrpcService

      public GrpcService getGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;
      Specified by:
      getGrpcService in interface ExtAuthzOrBuilder
      Returns:
      The grpcService.

    • setGrpcService

      public ExtAuthz.Builder setGrpcService(GrpcService value)
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;

    • setGrpcService

      public ExtAuthz.Builder setGrpcService(GrpcService.Builder builderForValue)
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;

    • mergeGrpcService

      public ExtAuthz.Builder mergeGrpcService(GrpcService value)
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;

    • clearGrpcService

      public ExtAuthz.Builder clearGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;

    • getGrpcServiceBuilder

      public GrpcService.Builder getGrpcServiceBuilder()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;

    • getGrpcServiceOrBuilder

      public GrpcServiceOrBuilder getGrpcServiceOrBuilder()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;
      Specified by:
      getGrpcServiceOrBuilder in interface ExtAuthzOrBuilder

    • hasHttpService

      public boolean hasHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
      Specified by:
      hasHttpService in interface ExtAuthzOrBuilder
      Returns:
      Whether the httpService field is set.

    • getHttpService

      public HttpService getHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
      Specified by:
      getHttpService in interface ExtAuthzOrBuilder
      Returns:
      The httpService.

    • setHttpService

      public ExtAuthz.Builder setHttpService(HttpService value)
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

    • setHttpService

      public ExtAuthz.Builder setHttpService(HttpService.Builder builderForValue)
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

    • mergeHttpService

      public ExtAuthz.Builder mergeHttpService(HttpService value)
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

    • clearHttpService

      public ExtAuthz.Builder clearHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

    • getHttpServiceBuilder

      public HttpService.Builder getHttpServiceBuilder()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

    • getHttpServiceOrBuilder

      public HttpServiceOrBuilder getHttpServiceOrBuilder()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
      Specified by:
      getHttpServiceOrBuilder in interface ExtAuthzOrBuilder

    • getTransportApiVersionValue

      public int getTransportApiVersionValue()
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Specified by:
      getTransportApiVersionValue in interface ExtAuthzOrBuilder
      Returns:
      The enum numeric value on the wire for transportApiVersion.

    • setTransportApiVersionValue

      public ExtAuthz.Builder setTransportApiVersionValue(int value)
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Parameters:
      value - The enum numeric value on the wire for transportApiVersion to set.
      Returns:
      This builder for chaining.

    • getTransportApiVersion

      public ApiVersion getTransportApiVersion()
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Specified by:
      getTransportApiVersion in interface ExtAuthzOrBuilder
      Returns:
      The transportApiVersion.

    • setTransportApiVersion

      public ExtAuthz.Builder setTransportApiVersion(ApiVersion value)
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Parameters:
      value - The transportApiVersion to set.
      Returns:
      This builder for chaining.

    • clearTransportApiVersion

      public ExtAuthz.Builder clearTransportApiVersion()
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Returns:
      This builder for chaining.

    • getFailureModeAllow

      public boolean getFailureModeAllow()
       Changes the filter's behavior on errors:

 * When set to ``true``, the filter will ``accept`` the client request even if communication with
   the authorization service has failed, or if the authorization service has returned an HTTP 5xx
   error.

 * When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden``
   if communication with the authorization service has failed, or if the authorization service
   has returned an HTTP 5xx error.

 Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`.

 Defaults to ``false``.
      bool failure_mode_allow = 2;
      Specified by:
      getFailureModeAllow in interface ExtAuthzOrBuilder
      Returns:
      The failureModeAllow.

    • setFailureModeAllow

      public ExtAuthz.Builder setFailureModeAllow(boolean value)
       Changes the filter's behavior on errors:

 * When set to ``true``, the filter will ``accept`` the client request even if communication with
   the authorization service has failed, or if the authorization service has returned an HTTP 5xx
   error.

 * When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden``
   if communication with the authorization service has failed, or if the authorization service
   has returned an HTTP 5xx error.

 Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`.

 Defaults to ``false``.
      bool failure_mode_allow = 2;
      Parameters:
      value - The failureModeAllow to set.
      Returns:
      This builder for chaining.

    • clearFailureModeAllow

      public ExtAuthz.Builder clearFailureModeAllow()
       Changes the filter's behavior on errors:

 * When set to ``true``, the filter will ``accept`` the client request even if communication with
   the authorization service has failed, or if the authorization service has returned an HTTP 5xx
   error.

 * When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden``
   if communication with the authorization service has failed, or if the authorization service
   has returned an HTTP 5xx error.

 Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`.

 Defaults to ``false``.
      bool failure_mode_allow = 2;
      Returns:
      This builder for chaining.

    • getFailureModeAllowHeaderAdd

      public boolean getFailureModeAllowHeaderAdd()
       When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``,
 ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication
 with the authorization service has failed, or if the authorization service has returned a
 HTTP 5xx error.
      bool failure_mode_allow_header_add = 19;
      Specified by:
      getFailureModeAllowHeaderAdd in interface ExtAuthzOrBuilder
      Returns:
      The failureModeAllowHeaderAdd.

    • setFailureModeAllowHeaderAdd

      public ExtAuthz.Builder setFailureModeAllowHeaderAdd(boolean value)
       When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``,
 ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication
 with the authorization service has failed, or if the authorization service has returned a
 HTTP 5xx error.
      bool failure_mode_allow_header_add = 19;
      Parameters:
      value - The failureModeAllowHeaderAdd to set.
      Returns:
      This builder for chaining.

    • clearFailureModeAllowHeaderAdd

      public ExtAuthz.Builder clearFailureModeAllowHeaderAdd()
       When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``,
 ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication
 with the authorization service has failed, or if the authorization service has returned a
 HTTP 5xx error.
      bool failure_mode_allow_header_add = 19;
      Returns:
      This builder for chaining.

    • hasWithRequestBody

      public boolean hasWithRequestBody()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
      Specified by:
      hasWithRequestBody in interface ExtAuthzOrBuilder
      Returns:
      Whether the withRequestBody field is set.

    • getWithRequestBody

      public BufferSettings getWithRequestBody()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
      Specified by:
      getWithRequestBody in interface ExtAuthzOrBuilder
      Returns:
      The withRequestBody.

    • setWithRequestBody

      public ExtAuthz.Builder setWithRequestBody(BufferSettings value)
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

    • setWithRequestBody

      public ExtAuthz.Builder setWithRequestBody(BufferSettings.Builder builderForValue)
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

    • mergeWithRequestBody

      public ExtAuthz.Builder mergeWithRequestBody(BufferSettings value)
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

    • clearWithRequestBody

      public ExtAuthz.Builder clearWithRequestBody()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

    • getWithRequestBodyBuilder

      public BufferSettings.Builder getWithRequestBodyBuilder()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

    • getWithRequestBodyOrBuilder

      public BufferSettingsOrBuilder getWithRequestBodyOrBuilder()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
      Specified by:
      getWithRequestBodyOrBuilder in interface ExtAuthzOrBuilder

    • getClearRouteCache

      public boolean getClearRouteCache()
       Clears the route cache in order to allow the external authorization service to correctly affect
 routing decisions. The filter clears all cached routes when all of the following holds:

 * This field is set to ``true``.
 * The status returned from the authorization service is an HTTP 200 or gRPC 0.
 * At least one ``authorization response header`` is added to the client request, or is used to
   alter another client request header.

 Defaults to ``false``.
      bool clear_route_cache = 6;
      Specified by:
      getClearRouteCache in interface ExtAuthzOrBuilder
      Returns:
      The clearRouteCache.

    • setClearRouteCache

      public ExtAuthz.Builder setClearRouteCache(boolean value)
       Clears the route cache in order to allow the external authorization service to correctly affect
 routing decisions. The filter clears all cached routes when all of the following holds:

 * This field is set to ``true``.
 * The status returned from the authorization service is an HTTP 200 or gRPC 0.
 * At least one ``authorization response header`` is added to the client request, or is used to
   alter another client request header.

 Defaults to ``false``.
      bool clear_route_cache = 6;
      Parameters:
      value - The clearRouteCache to set.
      Returns:
      This builder for chaining.

    • clearClearRouteCache

      public ExtAuthz.Builder clearClearRouteCache()
       Clears the route cache in order to allow the external authorization service to correctly affect
 routing decisions. The filter clears all cached routes when all of the following holds:

 * This field is set to ``true``.
 * The status returned from the authorization service is an HTTP 200 or gRPC 0.
 * At least one ``authorization response header`` is added to the client request, or is used to
   alter another client request header.

 Defaults to ``false``.
      bool clear_route_cache = 6;
      Returns:
      This builder for chaining.

    • hasStatusOnError

      public boolean hasStatusOnError()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;
      Specified by:
      hasStatusOnError in interface ExtAuthzOrBuilder
      Returns:
      Whether the statusOnError field is set.

    • getStatusOnError

      public HttpStatus getStatusOnError()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;
      Specified by:
      getStatusOnError in interface ExtAuthzOrBuilder
      Returns:
      The statusOnError.

    • setStatusOnError

      public ExtAuthz.Builder setStatusOnError(HttpStatus value)
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;

    • setStatusOnError

      public ExtAuthz.Builder setStatusOnError(HttpStatus.Builder builderForValue)
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;

    • mergeStatusOnError

      public ExtAuthz.Builder mergeStatusOnError(HttpStatus value)
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;

    • clearStatusOnError

      public ExtAuthz.Builder clearStatusOnError()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;

    • getStatusOnErrorBuilder

      public HttpStatus.Builder getStatusOnErrorBuilder()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;

    • getStatusOnErrorOrBuilder

      public HttpStatusOrBuilder getStatusOnErrorOrBuilder()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;
      Specified by:
      getStatusOnErrorOrBuilder in interface ExtAuthzOrBuilder

    • getValidateMutations

      public boolean getValidateMutations()
       When set to ``true``, the filter will check the :ref:`ext_authz response
 <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and
 query parameter mutations. If the response is invalid, the filter will send a local reply
 to the downstream request with status ``HTTP 500 Internal Server Error``.

 .. note::
   Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in
   those fields should not affect any headers and thus will not cause the filter to send a local reply.

 When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause
 unexpected behavior.

 If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``.

 Defaults to ``false``.
      bool validate_mutations = 24;
      Specified by:
      getValidateMutations in interface ExtAuthzOrBuilder
      Returns:
      The validateMutations.

    • setValidateMutations

      public ExtAuthz.Builder setValidateMutations(boolean value)
       When set to ``true``, the filter will check the :ref:`ext_authz response
 <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and
 query parameter mutations. If the response is invalid, the filter will send a local reply
 to the downstream request with status ``HTTP 500 Internal Server Error``.

 .. note::
   Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in
   those fields should not affect any headers and thus will not cause the filter to send a local reply.

 When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause
 unexpected behavior.

 If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``.

 Defaults to ``false``.
      bool validate_mutations = 24;
      Parameters:
      value - The validateMutations to set.
      Returns:
      This builder for chaining.

    • clearValidateMutations

      public ExtAuthz.Builder clearValidateMutations()
       When set to ``true``, the filter will check the :ref:`ext_authz response
 <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and
 query parameter mutations. If the response is invalid, the filter will send a local reply
 to the downstream request with status ``HTTP 500 Internal Server Error``.

 .. note::
   Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in
   those fields should not affect any headers and thus will not cause the filter to send a local reply.

 When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause
 unexpected behavior.

 If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``.

 Defaults to ``false``.
      bool validate_mutations = 24;
      Returns:
      This builder for chaining.

    • getMetadataContextNamespacesList

      public com.google.protobuf.ProtocolStringList getMetadataContextNamespacesList()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Specified by:
      getMetadataContextNamespacesList in interface ExtAuthzOrBuilder
      Returns:
      A list containing the metadataContextNamespaces.

    • getMetadataContextNamespacesCount

      public int getMetadataContextNamespacesCount()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Specified by:
      getMetadataContextNamespacesCount in interface ExtAuthzOrBuilder
      Returns:
      The count of metadataContextNamespaces.

    • getMetadataContextNamespaces

      public String getMetadataContextNamespaces(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Specified by:
      getMetadataContextNamespaces in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The metadataContextNamespaces at the given index.

    • getMetadataContextNamespacesBytes

      public com.google.protobuf.ByteString getMetadataContextNamespacesBytes(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Specified by:
      getMetadataContextNamespacesBytes in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the metadataContextNamespaces at the given index.

    • setMetadataContextNamespaces

      public ExtAuthz.Builder setMetadataContextNamespaces(int index, String value)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      index - The index to set the value at.
      value - The metadataContextNamespaces to set.
      Returns:
      This builder for chaining.

    • addMetadataContextNamespaces

      public ExtAuthz.Builder addMetadataContextNamespaces(String value)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      value - The metadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • addAllMetadataContextNamespaces

      public ExtAuthz.Builder addAllMetadataContextNamespaces(Iterable<String> values)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      values - The metadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • clearMetadataContextNamespaces

      public ExtAuthz.Builder clearMetadataContextNamespaces()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Returns:
      This builder for chaining.

    • addMetadataContextNamespacesBytes

      public ExtAuthz.Builder addMetadataContextNamespacesBytes(com.google.protobuf.ByteString value)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      value - The bytes of the metadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • getTypedMetadataContextNamespacesList

      public com.google.protobuf.ProtocolStringList getTypedMetadataContextNamespacesList()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Specified by:
      getTypedMetadataContextNamespacesList in interface ExtAuthzOrBuilder
      Returns:
      A list containing the typedMetadataContextNamespaces.

    • getTypedMetadataContextNamespacesCount

      public int getTypedMetadataContextNamespacesCount()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Specified by:
      getTypedMetadataContextNamespacesCount in interface ExtAuthzOrBuilder
      Returns:
      The count of typedMetadataContextNamespaces.

    • getTypedMetadataContextNamespaces

      public String getTypedMetadataContextNamespaces(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Specified by:
      getTypedMetadataContextNamespaces in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The typedMetadataContextNamespaces at the given index.

    • getTypedMetadataContextNamespacesBytes

      public com.google.protobuf.ByteString getTypedMetadataContextNamespacesBytes(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Specified by:
      getTypedMetadataContextNamespacesBytes in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the typedMetadataContextNamespaces at the given index.

    • setTypedMetadataContextNamespaces

      public ExtAuthz.Builder setTypedMetadataContextNamespaces(int index, String value)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Parameters:
      index - The index to set the value at.
      value - The typedMetadataContextNamespaces to set.
      Returns:
      This builder for chaining.

    • addTypedMetadataContextNamespaces

      public ExtAuthz.Builder addTypedMetadataContextNamespaces(String value)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Parameters:
      value - The typedMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • addAllTypedMetadataContextNamespaces

      public ExtAuthz.Builder addAllTypedMetadataContextNamespaces(Iterable<String> values)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Parameters:
      values - The typedMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • clearTypedMetadataContextNamespaces

      public ExtAuthz.Builder clearTypedMetadataContextNamespaces()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Returns:
      This builder for chaining.

    • addTypedMetadataContextNamespacesBytes

      public ExtAuthz.Builder addTypedMetadataContextNamespacesBytes(com.google.protobuf.ByteString value)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Parameters:
      value - The bytes of the typedMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • getRouteMetadataContextNamespacesList

      public com.google.protobuf.ProtocolStringList getRouteMetadataContextNamespacesList()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Specified by:
      getRouteMetadataContextNamespacesList in interface ExtAuthzOrBuilder
      Returns:
      A list containing the routeMetadataContextNamespaces.

    • getRouteMetadataContextNamespacesCount

      public int getRouteMetadataContextNamespacesCount()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Specified by:
      getRouteMetadataContextNamespacesCount in interface ExtAuthzOrBuilder
      Returns:
      The count of routeMetadataContextNamespaces.

    • getRouteMetadataContextNamespaces

      public String getRouteMetadataContextNamespaces(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Specified by:
      getRouteMetadataContextNamespaces in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The routeMetadataContextNamespaces at the given index.

    • getRouteMetadataContextNamespacesBytes

      public com.google.protobuf.ByteString getRouteMetadataContextNamespacesBytes(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Specified by:
      getRouteMetadataContextNamespacesBytes in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the routeMetadataContextNamespaces at the given index.

    • setRouteMetadataContextNamespaces

      public ExtAuthz.Builder setRouteMetadataContextNamespaces(int index, String value)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Parameters:
      index - The index to set the value at.
      value - The routeMetadataContextNamespaces to set.
      Returns:
      This builder for chaining.

    • addRouteMetadataContextNamespaces

      public ExtAuthz.Builder addRouteMetadataContextNamespaces(String value)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Parameters:
      value - The routeMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • addAllRouteMetadataContextNamespaces

      public ExtAuthz.Builder addAllRouteMetadataContextNamespaces(Iterable<String> values)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Parameters:
      values - The routeMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • clearRouteMetadataContextNamespaces

      public ExtAuthz.Builder clearRouteMetadataContextNamespaces()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Returns:
      This builder for chaining.

    • addRouteMetadataContextNamespacesBytes

      public ExtAuthz.Builder addRouteMetadataContextNamespacesBytes(com.google.protobuf.ByteString value)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Parameters:
      value - The bytes of the routeMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • getRouteTypedMetadataContextNamespacesList

      public com.google.protobuf.ProtocolStringList getRouteTypedMetadataContextNamespacesList()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Specified by:
      getRouteTypedMetadataContextNamespacesList in interface ExtAuthzOrBuilder
      Returns:
      A list containing the routeTypedMetadataContextNamespaces.

    • getRouteTypedMetadataContextNamespacesCount

      public int getRouteTypedMetadataContextNamespacesCount()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Specified by:
      getRouteTypedMetadataContextNamespacesCount in interface ExtAuthzOrBuilder
      Returns:
      The count of routeTypedMetadataContextNamespaces.

    • getRouteTypedMetadataContextNamespaces

      public String getRouteTypedMetadataContextNamespaces(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Specified by:
      getRouteTypedMetadataContextNamespaces in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the element to return.
      Returns:
      The routeTypedMetadataContextNamespaces at the given index.

    • getRouteTypedMetadataContextNamespacesBytes

      public com.google.protobuf.ByteString getRouteTypedMetadataContextNamespacesBytes(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Specified by:
      getRouteTypedMetadataContextNamespacesBytes in interface ExtAuthzOrBuilder
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the routeTypedMetadataContextNamespaces at the given index.

    • setRouteTypedMetadataContextNamespaces

      public ExtAuthz.Builder setRouteTypedMetadataContextNamespaces(int index, String value)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Parameters:
      index - The index to set the value at.
      value - The routeTypedMetadataContextNamespaces to set.
      Returns:
      This builder for chaining.

    • addRouteTypedMetadataContextNamespaces

      public ExtAuthz.Builder addRouteTypedMetadataContextNamespaces(String value)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Parameters:
      value - The routeTypedMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • addAllRouteTypedMetadataContextNamespaces

      public ExtAuthz.Builder addAllRouteTypedMetadataContextNamespaces(Iterable<String> values)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Parameters:
      values - The routeTypedMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • clearRouteTypedMetadataContextNamespaces

      public ExtAuthz.Builder clearRouteTypedMetadataContextNamespaces()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Returns:
      This builder for chaining.

    • addRouteTypedMetadataContextNamespacesBytes

      public ExtAuthz.Builder addRouteTypedMetadataContextNamespacesBytes(com.google.protobuf.ByteString value)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Parameters:
      value - The bytes of the routeTypedMetadataContextNamespaces to add.
      Returns:
      This builder for chaining.

    • hasFilterEnabled

      public boolean hasFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
      Specified by:
      hasFilterEnabled in interface ExtAuthzOrBuilder
      Returns:
      Whether the filterEnabled field is set.

    • getFilterEnabled

      public RuntimeFractionalPercent getFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
      Specified by:
      getFilterEnabled in interface ExtAuthzOrBuilder
      Returns:
      The filterEnabled.

    • setFilterEnabled

      public ExtAuthz.Builder setFilterEnabled(RuntimeFractionalPercent value)
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

    • setFilterEnabled

      public ExtAuthz.Builder setFilterEnabled(RuntimeFractionalPercent.Builder builderForValue)
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

    • mergeFilterEnabled

      public ExtAuthz.Builder mergeFilterEnabled(RuntimeFractionalPercent value)
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

    • clearFilterEnabled

      public ExtAuthz.Builder clearFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

    • getFilterEnabledBuilder

      public RuntimeFractionalPercent.Builder getFilterEnabledBuilder()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

    • getFilterEnabledOrBuilder

      public RuntimeFractionalPercentOrBuilder getFilterEnabledOrBuilder()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
      Specified by:
      getFilterEnabledOrBuilder in interface ExtAuthzOrBuilder

    • hasFilterEnabledMetadata

      public boolean hasFilterEnabledMetadata()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
      Specified by:
      hasFilterEnabledMetadata in interface ExtAuthzOrBuilder
      Returns:
      Whether the filterEnabledMetadata field is set.

    • getFilterEnabledMetadata

      public MetadataMatcher getFilterEnabledMetadata()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
      Specified by:
      getFilterEnabledMetadata in interface ExtAuthzOrBuilder
      Returns:
      The filterEnabledMetadata.

    • setFilterEnabledMetadata

      public ExtAuthz.Builder setFilterEnabledMetadata(MetadataMatcher value)
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

    • setFilterEnabledMetadata

      public ExtAuthz.Builder setFilterEnabledMetadata(MetadataMatcher.Builder builderForValue)
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

    • mergeFilterEnabledMetadata

      public ExtAuthz.Builder mergeFilterEnabledMetadata(MetadataMatcher value)
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

    • clearFilterEnabledMetadata

      public ExtAuthz.Builder clearFilterEnabledMetadata()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

    • getFilterEnabledMetadataBuilder

      public MetadataMatcher.Builder getFilterEnabledMetadataBuilder()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

    • getFilterEnabledMetadataOrBuilder

      public MetadataMatcherOrBuilder getFilterEnabledMetadataOrBuilder()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
      Specified by:
      getFilterEnabledMetadataOrBuilder in interface ExtAuthzOrBuilder

    • hasDenyAtDisable

      public boolean hasDenyAtDisable()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
      Specified by:
      hasDenyAtDisable in interface ExtAuthzOrBuilder
      Returns:
      Whether the denyAtDisable field is set.

    • getDenyAtDisable

      public RuntimeFeatureFlag getDenyAtDisable()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
      Specified by:
      getDenyAtDisable in interface ExtAuthzOrBuilder
      Returns:
      The denyAtDisable.

    • setDenyAtDisable

      public ExtAuthz.Builder setDenyAtDisable(RuntimeFeatureFlag value)
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

    • setDenyAtDisable

      public ExtAuthz.Builder setDenyAtDisable(RuntimeFeatureFlag.Builder builderForValue)
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

    • mergeDenyAtDisable

      public ExtAuthz.Builder mergeDenyAtDisable(RuntimeFeatureFlag value)
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

    • clearDenyAtDisable

      public ExtAuthz.Builder clearDenyAtDisable()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

    • getDenyAtDisableBuilder

      public RuntimeFeatureFlag.Builder getDenyAtDisableBuilder()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

    • getDenyAtDisableOrBuilder

      public RuntimeFeatureFlagOrBuilder getDenyAtDisableOrBuilder()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
      Specified by:
      getDenyAtDisableOrBuilder in interface ExtAuthzOrBuilder

    • getIncludePeerCertificate

      public boolean getIncludePeerCertificate()
       Specifies if the peer certificate is sent to the external service.

 When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
      bool include_peer_certificate = 10;
      Specified by:
      getIncludePeerCertificate in interface ExtAuthzOrBuilder
      Returns:
      The includePeerCertificate.

    • setIncludePeerCertificate

      public ExtAuthz.Builder setIncludePeerCertificate(boolean value)
       Specifies if the peer certificate is sent to the external service.

 When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
      bool include_peer_certificate = 10;
      Parameters:
      value - The includePeerCertificate to set.
      Returns:
      This builder for chaining.

    • clearIncludePeerCertificate

      public ExtAuthz.Builder clearIncludePeerCertificate()
       Specifies if the peer certificate is sent to the external service.

 When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
      bool include_peer_certificate = 10;
      Returns:
      This builder for chaining.

    • getStatPrefix

      public String getStatPrefix()
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Specified by:
      getStatPrefix in interface ExtAuthzOrBuilder
      Returns:
      The statPrefix.

    • getStatPrefixBytes

      public com.google.protobuf.ByteString getStatPrefixBytes()
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Specified by:
      getStatPrefixBytes in interface ExtAuthzOrBuilder
      Returns:
      The bytes for statPrefix.

    • setStatPrefix

      public ExtAuthz.Builder setStatPrefix(String value)
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Parameters:
      value - The statPrefix to set.
      Returns:
      This builder for chaining.

    • clearStatPrefix

      public ExtAuthz.Builder clearStatPrefix()
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Returns:
      This builder for chaining.

    • setStatPrefixBytes

      public ExtAuthz.Builder setStatPrefixBytes(com.google.protobuf.ByteString value)
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Parameters:
      value - The bytes for statPrefix to set.
      Returns:
      This builder for chaining.

    • getBootstrapMetadataLabelsKey

      public String getBootstrapMetadataLabelsKey()
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Specified by:
      getBootstrapMetadataLabelsKey in interface ExtAuthzOrBuilder
      Returns:
      The bootstrapMetadataLabelsKey.

    • getBootstrapMetadataLabelsKeyBytes

      public com.google.protobuf.ByteString getBootstrapMetadataLabelsKeyBytes()
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Specified by:
      getBootstrapMetadataLabelsKeyBytes in interface ExtAuthzOrBuilder
      Returns:
      The bytes for bootstrapMetadataLabelsKey.

    • setBootstrapMetadataLabelsKey

      public ExtAuthz.Builder setBootstrapMetadataLabelsKey(String value)
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Parameters:
      value - The bootstrapMetadataLabelsKey to set.
      Returns:
      This builder for chaining.

    • clearBootstrapMetadataLabelsKey

      public ExtAuthz.Builder clearBootstrapMetadataLabelsKey()
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Returns:
      This builder for chaining.

    • setBootstrapMetadataLabelsKeyBytes

      public ExtAuthz.Builder setBootstrapMetadataLabelsKeyBytes(com.google.protobuf.ByteString value)
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Parameters:
      value - The bytes for bootstrapMetadataLabelsKey to set.
      Returns:
      This builder for chaining.

    • hasAllowedHeaders

      public boolean hasAllowedHeaders()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;
      Specified by:
      hasAllowedHeaders in interface ExtAuthzOrBuilder
      Returns:
      Whether the allowedHeaders field is set.

    • getAllowedHeaders

      public ListStringMatcher getAllowedHeaders()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;
      Specified by:
      getAllowedHeaders in interface ExtAuthzOrBuilder
      Returns:
      The allowedHeaders.

    • setAllowedHeaders

      public ExtAuthz.Builder setAllowedHeaders(ListStringMatcher value)
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

    • setAllowedHeaders

      public ExtAuthz.Builder setAllowedHeaders(ListStringMatcher.Builder builderForValue)
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

    • mergeAllowedHeaders

      public ExtAuthz.Builder mergeAllowedHeaders(ListStringMatcher value)
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

    • clearAllowedHeaders

      public ExtAuthz.Builder clearAllowedHeaders()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

    • getAllowedHeadersBuilder

      public ListStringMatcher.Builder getAllowedHeadersBuilder()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

    • getAllowedHeadersOrBuilder

      public ListStringMatcherOrBuilder getAllowedHeadersOrBuilder()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;
      Specified by:
      getAllowedHeadersOrBuilder in interface ExtAuthzOrBuilder

    • hasDisallowedHeaders

      public boolean hasDisallowedHeaders()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;
      Specified by:
      hasDisallowedHeaders in interface ExtAuthzOrBuilder
      Returns:
      Whether the disallowedHeaders field is set.

    • getDisallowedHeaders

      public ListStringMatcher getDisallowedHeaders()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;
      Specified by:
      getDisallowedHeaders in interface ExtAuthzOrBuilder
      Returns:
      The disallowedHeaders.

    • setDisallowedHeaders

      public ExtAuthz.Builder setDisallowedHeaders(ListStringMatcher value)
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;

    • setDisallowedHeaders

      public ExtAuthz.Builder setDisallowedHeaders(ListStringMatcher.Builder builderForValue)
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;

    • mergeDisallowedHeaders

      public ExtAuthz.Builder mergeDisallowedHeaders(ListStringMatcher value)
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;

    • clearDisallowedHeaders

      public ExtAuthz.Builder clearDisallowedHeaders()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;

    • getDisallowedHeadersBuilder

      public ListStringMatcher.Builder getDisallowedHeadersBuilder()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;

    • getDisallowedHeadersOrBuilder

      public ListStringMatcherOrBuilder getDisallowedHeadersOrBuilder()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;
      Specified by:
      getDisallowedHeadersOrBuilder in interface ExtAuthzOrBuilder

    • getIncludeTlsSession

      public boolean getIncludeTlsSession()
       Specifies if the TLS session level details like SNI are sent to the external service.

 When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the
 :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
      bool include_tls_session = 18;
      Specified by:
      getIncludeTlsSession in interface ExtAuthzOrBuilder
      Returns:
      The includeTlsSession.

    • setIncludeTlsSession

      public ExtAuthz.Builder setIncludeTlsSession(boolean value)
       Specifies if the TLS session level details like SNI are sent to the external service.

 When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the
 :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
      bool include_tls_session = 18;
      Parameters:
      value - The includeTlsSession to set.
      Returns:
      This builder for chaining.

    • clearIncludeTlsSession

      public ExtAuthz.Builder clearIncludeTlsSession()
       Specifies if the TLS session level details like SNI are sent to the external service.

 When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the
 :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
      bool include_tls_session = 18;
      Returns:
      This builder for chaining.

    • hasChargeClusterResponseStats

      public boolean hasChargeClusterResponseStats()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;
      Specified by:
      hasChargeClusterResponseStats in interface ExtAuthzOrBuilder
      Returns:
      Whether the chargeClusterResponseStats field is set.

    • getChargeClusterResponseStats

      public com.google.protobuf.BoolValue getChargeClusterResponseStats()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;
      Specified by:
      getChargeClusterResponseStats in interface ExtAuthzOrBuilder
      Returns:
      The chargeClusterResponseStats.

    • setChargeClusterResponseStats

      public ExtAuthz.Builder setChargeClusterResponseStats(com.google.protobuf.BoolValue value)
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;

    • setChargeClusterResponseStats

      public ExtAuthz.Builder setChargeClusterResponseStats(com.google.protobuf.BoolValue.Builder builderForValue)
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;

    • mergeChargeClusterResponseStats

      public ExtAuthz.Builder mergeChargeClusterResponseStats(com.google.protobuf.BoolValue value)
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;

    • clearChargeClusterResponseStats

      public ExtAuthz.Builder clearChargeClusterResponseStats()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;

    • getChargeClusterResponseStatsBuilder

      public com.google.protobuf.BoolValue.Builder getChargeClusterResponseStatsBuilder()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;

    • getChargeClusterResponseStatsOrBuilder

      public com.google.protobuf.BoolValueOrBuilder getChargeClusterResponseStatsOrBuilder()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;
      Specified by:
      getChargeClusterResponseStatsOrBuilder in interface ExtAuthzOrBuilder

    • getEncodeRawHeaders

      public boolean getEncodeRawHeaders()
       Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers)
 in the authorization request. Works with both HTTP and gRPC clients.

 When this is set to ``true``, header values are not sanitized. Headers with the same key will also
 not be combined into a single, comma-separated header.
 Requests to gRPC services will populate the field
 :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
 Requests to HTTP services will be constructed with the unsanitized header values and preserved
 multi-line headers with the same key.

 If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant
 bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a
 single comma-separated header value.
 Requests to gRPC services will populate the field
 :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
 Requests to HTTP services will have their header values sanitized and will not preserve
 multi-line headers with the same key.

 It is recommended to set this to ``true`` unless you rely on the previous behavior.

 It is set to ``false`` by default for backwards compatibility.
      bool encode_raw_headers = 23;
      Specified by:
      getEncodeRawHeaders in interface ExtAuthzOrBuilder
      Returns:
      The encodeRawHeaders.

    • setEncodeRawHeaders

      public ExtAuthz.Builder setEncodeRawHeaders(boolean value)
       Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers)
 in the authorization request. Works with both HTTP and gRPC clients.

 When this is set to ``true``, header values are not sanitized. Headers with the same key will also
 not be combined into a single, comma-separated header.
 Requests to gRPC services will populate the field
 :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
 Requests to HTTP services will be constructed with the unsanitized header values and preserved
 multi-line headers with the same key.

 If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant
 bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a
 single comma-separated header value.
 Requests to gRPC services will populate the field
 :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
 Requests to HTTP services will have their header values sanitized and will not preserve
 multi-line headers with the same key.

 It is recommended to set this to ``true`` unless you rely on the previous behavior.

 It is set to ``false`` by default for backwards compatibility.
      bool encode_raw_headers = 23;
      Parameters:
      value - The encodeRawHeaders to set.
      Returns:
      This builder for chaining.

    • clearEncodeRawHeaders

      public ExtAuthz.Builder clearEncodeRawHeaders()
       Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers)
 in the authorization request. Works with both HTTP and gRPC clients.

 When this is set to ``true``, header values are not sanitized. Headers with the same key will also
 not be combined into a single, comma-separated header.
 Requests to gRPC services will populate the field
 :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
 Requests to HTTP services will be constructed with the unsanitized header values and preserved
 multi-line headers with the same key.

 If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant
 bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a
 single comma-separated header value.
 Requests to gRPC services will populate the field
 :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
 Requests to HTTP services will have their header values sanitized and will not preserve
 multi-line headers with the same key.

 It is recommended to set this to ``true`` unless you rely on the previous behavior.

 It is set to ``false`` by default for backwards compatibility.
      bool encode_raw_headers = 23;
      Returns:
      This builder for chaining.

    • hasDecoderHeaderMutationRules

      public boolean hasDecoderHeaderMutationRules()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
      Specified by:
      hasDecoderHeaderMutationRules in interface ExtAuthzOrBuilder
      Returns:
      Whether the decoderHeaderMutationRules field is set.

    • getDecoderHeaderMutationRules

      public HeaderMutationRules getDecoderHeaderMutationRules()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
      Specified by:
      getDecoderHeaderMutationRules in interface ExtAuthzOrBuilder
      Returns:
      The decoderHeaderMutationRules.

    • setDecoderHeaderMutationRules

      public ExtAuthz.Builder setDecoderHeaderMutationRules(HeaderMutationRules value)
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;

    • setDecoderHeaderMutationRules

      public ExtAuthz.Builder setDecoderHeaderMutationRules(HeaderMutationRules.Builder builderForValue)
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;

    • mergeDecoderHeaderMutationRules

      public ExtAuthz.Builder mergeDecoderHeaderMutationRules(HeaderMutationRules value)
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;

    • clearDecoderHeaderMutationRules

      public ExtAuthz.Builder clearDecoderHeaderMutationRules()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;

    • getDecoderHeaderMutationRulesBuilder

      public HeaderMutationRules.Builder getDecoderHeaderMutationRulesBuilder()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;

    • getDecoderHeaderMutationRulesOrBuilder

      public HeaderMutationRulesOrBuilder getDecoderHeaderMutationRulesOrBuilder()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
      Specified by:
      getDecoderHeaderMutationRulesOrBuilder in interface ExtAuthzOrBuilder

    • hasEnableDynamicMetadataIngestion

      public boolean hasEnableDynamicMetadataIngestion()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
      Specified by:
      hasEnableDynamicMetadataIngestion in interface ExtAuthzOrBuilder
      Returns:
      Whether the enableDynamicMetadataIngestion field is set.

    • getEnableDynamicMetadataIngestion

      public com.google.protobuf.BoolValue getEnableDynamicMetadataIngestion()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
      Specified by:
      getEnableDynamicMetadataIngestion in interface ExtAuthzOrBuilder
      Returns:
      The enableDynamicMetadataIngestion.

    • setEnableDynamicMetadataIngestion

      public ExtAuthz.Builder setEnableDynamicMetadataIngestion(com.google.protobuf.BoolValue value)
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;

    • setEnableDynamicMetadataIngestion

      public ExtAuthz.Builder setEnableDynamicMetadataIngestion(com.google.protobuf.BoolValue.Builder builderForValue)
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;

    • mergeEnableDynamicMetadataIngestion

      public ExtAuthz.Builder mergeEnableDynamicMetadataIngestion(com.google.protobuf.BoolValue value)
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;

    • clearEnableDynamicMetadataIngestion

      public ExtAuthz.Builder clearEnableDynamicMetadataIngestion()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;

    • getEnableDynamicMetadataIngestionBuilder

      public com.google.protobuf.BoolValue.Builder getEnableDynamicMetadataIngestionBuilder()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;

    • getEnableDynamicMetadataIngestionOrBuilder

      public com.google.protobuf.BoolValueOrBuilder getEnableDynamicMetadataIngestionOrBuilder()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
      Specified by:
      getEnableDynamicMetadataIngestionOrBuilder in interface ExtAuthzOrBuilder

    • hasFilterMetadata

      public boolean hasFilterMetadata()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;
      Specified by:
      hasFilterMetadata in interface ExtAuthzOrBuilder
      Returns:
      Whether the filterMetadata field is set.

    • getFilterMetadata

      public com.google.protobuf.Struct getFilterMetadata()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;
      Specified by:
      getFilterMetadata in interface ExtAuthzOrBuilder
      Returns:
      The filterMetadata.

    • setFilterMetadata

      public ExtAuthz.Builder setFilterMetadata(com.google.protobuf.Struct value)
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;

    • setFilterMetadata

      public ExtAuthz.Builder setFilterMetadata(com.google.protobuf.Struct.Builder builderForValue)
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;

    • mergeFilterMetadata

      public ExtAuthz.Builder mergeFilterMetadata(com.google.protobuf.Struct value)
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;

    • clearFilterMetadata

      public ExtAuthz.Builder clearFilterMetadata()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;

    • getFilterMetadataBuilder

      public com.google.protobuf.Struct.Builder getFilterMetadataBuilder()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;

    • getFilterMetadataOrBuilder

      public com.google.protobuf.StructOrBuilder getFilterMetadataOrBuilder()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;
      Specified by:
      getFilterMetadataOrBuilder in interface ExtAuthzOrBuilder

    • getEmitFilterStateStats

      public boolean getEmitFilterStateStats()
       When set to ``true``, the filter will emit per-stream stats for access logging. The filter state
 key will be the same as the filter name.

 If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
 info. If not using Envoy gRPC, emits only latency.

 .. note::
   Stats are ONLY added to filter state if a check request is actually made to an ext_authz service.

 If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if
 it has a value.

 Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service.
 Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service.
      bool emit_filter_state_stats = 29;
      Specified by:
      getEmitFilterStateStats in interface ExtAuthzOrBuilder
      Returns:
      The emitFilterStateStats.

    • setEmitFilterStateStats

      public ExtAuthz.Builder setEmitFilterStateStats(boolean value)
       When set to ``true``, the filter will emit per-stream stats for access logging. The filter state
 key will be the same as the filter name.

 If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
 info. If not using Envoy gRPC, emits only latency.

 .. note::
   Stats are ONLY added to filter state if a check request is actually made to an ext_authz service.

 If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if
 it has a value.

 Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service.
 Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service.
      bool emit_filter_state_stats = 29;
      Parameters:
      value - The emitFilterStateStats to set.
      Returns:
      This builder for chaining.

    • clearEmitFilterStateStats

      public ExtAuthz.Builder clearEmitFilterStateStats()
       When set to ``true``, the filter will emit per-stream stats for access logging. The filter state
 key will be the same as the filter name.

 If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
 info. If not using Envoy gRPC, emits only latency.

 .. note::
   Stats are ONLY added to filter state if a check request is actually made to an ext_authz service.

 If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if
 it has a value.

 Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service.
 Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service.
      bool emit_filter_state_stats = 29;
      Returns:
      This builder for chaining.

    • getMaxDeniedResponseBodyBytes

      public int getMaxDeniedResponseBodyBytes()
       Sets the maximum size (in bytes) of the response body that the filter will send downstream
 when a request is denied by the external authorization service.

 If the authorization server returns a response body larger than this configured limit,
 the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the
 downstream client.

 If this field is not set or is set to 0, no truncation will occur, and the entire
 denied response body will be forwarded.
      uint32 max_denied_response_body_bytes = 30;
      Specified by:
      getMaxDeniedResponseBodyBytes in interface ExtAuthzOrBuilder
      Returns:
      The maxDeniedResponseBodyBytes.

    • setMaxDeniedResponseBodyBytes

      public ExtAuthz.Builder setMaxDeniedResponseBodyBytes(int value)
       Sets the maximum size (in bytes) of the response body that the filter will send downstream
 when a request is denied by the external authorization service.

 If the authorization server returns a response body larger than this configured limit,
 the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the
 downstream client.

 If this field is not set or is set to 0, no truncation will occur, and the entire
 denied response body will be forwarded.
      uint32 max_denied_response_body_bytes = 30;
      Parameters:
      value - The maxDeniedResponseBodyBytes to set.
      Returns:
      This builder for chaining.

    • clearMaxDeniedResponseBodyBytes

      public ExtAuthz.Builder clearMaxDeniedResponseBodyBytes()
       Sets the maximum size (in bytes) of the response body that the filter will send downstream
 when a request is denied by the external authorization service.

 If the authorization server returns a response body larger than this configured limit,
 the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the
 downstream client.

 If this field is not set or is set to 0, no truncation will occur, and the entire
 denied response body will be forwarded.
      uint32 max_denied_response_body_bytes = 30;
      Returns:
      This builder for chaining.

    • getEnforceResponseHeaderLimits

      public boolean getEnforceResponseHeaderLimits()
       When set to ``true``, the filter will enforce the response header map's count and size limits
 by sending a local reply when those limits are violated.

 When set to ``false``, the filter will ignore the response header map's limits and add / set
 all response headers as specified by the external authorization service.

 Recommendation: enable if the external authorization service is not trusted. Otherwise, leave
 it ``false``.

 Defaults to ``false``.
      bool enforce_response_header_limits = 31;
      Specified by:
      getEnforceResponseHeaderLimits in interface ExtAuthzOrBuilder
      Returns:
      The enforceResponseHeaderLimits.

    • setEnforceResponseHeaderLimits

      public ExtAuthz.Builder setEnforceResponseHeaderLimits(boolean value)
       When set to ``true``, the filter will enforce the response header map's count and size limits
 by sending a local reply when those limits are violated.

 When set to ``false``, the filter will ignore the response header map's limits and add / set
 all response headers as specified by the external authorization service.

 Recommendation: enable if the external authorization service is not trusted. Otherwise, leave
 it ``false``.

 Defaults to ``false``.
      bool enforce_response_header_limits = 31;
      Parameters:
      value - The enforceResponseHeaderLimits to set.
      Returns:
      This builder for chaining.

    • clearEnforceResponseHeaderLimits

      public ExtAuthz.Builder clearEnforceResponseHeaderLimits()
       When set to ``true``, the filter will enforce the response header map's count and size limits
 by sending a local reply when those limits are violated.

 When set to ``false``, the filter will ignore the response header map's limits and add / set
 all response headers as specified by the external authorization service.

 Recommendation: enable if the external authorization service is not trusted. Otherwise, leave
 it ``false``.

 Defaults to ``false``.
      bool enforce_response_header_limits = 31;
      Returns:
      This builder for chaining.

    • setUnknownFields

      public final ExtAuthz.Builder setUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      setUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>

    • mergeUnknownFields

      public final ExtAuthz.Builder mergeUnknownFields(com.google.protobuf.UnknownFieldSet unknownFields)
      Specified by:
      mergeUnknownFields in interface com.google.protobuf.Message.Builder
      Overrides:
      mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<ExtAuthz.Builder>