Package io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3

Interface ExtAuthzOrBuilder

All Superinterfaces:
com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
All Known Implementing Classes:
ExtAuthz, ExtAuthz.Builder
public interface ExtAuthzOrBuilder extends com.google.protobuf.MessageOrBuilder

  • Method Summary

    Modifier and Type
    Method
    Description
    ListStringMatcher
    getAllowedHeaders()
    Check request to authorization server will include the client request headers that have a correspondent match in the list.
    ListStringMatcherOrBuilder
    getAllowedHeadersOrBuilder()
    Check request to authorization server will include the client request headers that have a correspondent match in the list.
    String
    getBootstrapMetadataLabelsKey()
    Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
    com.google.protobuf.ByteString
    getBootstrapMetadataLabelsKeyBytes()
    Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
    com.google.protobuf.BoolValue
    getChargeClusterResponseStats()
    Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
    com.google.protobuf.BoolValueOrBuilder
    getChargeClusterResponseStatsOrBuilder()
    Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
    boolean
    getClearRouteCache()
    Clears the route cache in order to allow the external authorization service to correctly affect routing decisions.
    HeaderMutationRules
    getDecoderHeaderMutationRules()
    Rules for what modifications an ext_authz server may make to the request headers before continuing decoding or forwarding upstream.
    HeaderMutationRulesOrBuilder
    getDecoderHeaderMutationRulesOrBuilder()
    Rules for what modifications an ext_authz server may make to the request headers before continuing decoding or forwarding upstream.
    RuntimeFeatureFlag
    getDenyAtDisable()
    Specifies whether to deny the requests when the filter is disabled.
    RuntimeFeatureFlagOrBuilder
    getDenyAtDisableOrBuilder()
    Specifies whether to deny the requests when the filter is disabled.
    ListStringMatcher
    getDisallowedHeaders()
    If set, specifically disallow any header in this list to be forwarded to the external authentication server.
    ListStringMatcherOrBuilder
    getDisallowedHeadersOrBuilder()
    If set, specifically disallow any header in this list to be forwarded to the external authentication server.
    boolean
    getEmitFilterStateStats()
    When set to ``true``, the filter will emit per-stream stats for access logging.
    com.google.protobuf.BoolValue
    getEnableDynamicMetadataIngestion()
    Enable or disable ingestion of dynamic metadata from the ext_authz service.
    com.google.protobuf.BoolValueOrBuilder
    getEnableDynamicMetadataIngestionOrBuilder()
    Enable or disable ingestion of dynamic metadata from the ext_authz service.
    boolean
    getEncodeRawHeaders()
    Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers) in the authorization request.
    boolean
    getEnforceResponseHeaderLimits()
    When set to ``true``, the filter will enforce the response header map's count and size limits by sending a local reply when those limits are violated.
    boolean
    getFailureModeAllow()
    Changes the filter's behavior on errors: * When set to ``true``, the filter will ``accept`` the client request even if communication with the authorization service has failed, or if the authorization service has returned an HTTP 5xx error
    boolean
    getFailureModeAllowHeaderAdd()
    When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``, ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error.
    RuntimeFractionalPercent
    getFilterEnabled()
    Specifies if the filter is enabled.
    MetadataMatcher
    getFilterEnabledMetadata()
    Specifies if the filter is enabled with metadata matcher.
    MetadataMatcherOrBuilder
    getFilterEnabledMetadataOrBuilder()
    Specifies if the filter is enabled with metadata matcher.
    RuntimeFractionalPercentOrBuilder
    getFilterEnabledOrBuilder()
    Specifies if the filter is enabled.
    com.google.protobuf.Struct
    getFilterMetadata()
    Additional metadata to be added to the filter state for logging purposes.
    com.google.protobuf.StructOrBuilder
    getFilterMetadataOrBuilder()
    Additional metadata to be added to the filter state for logging purposes.
    GrpcService
    getGrpcService()
    gRPC service configuration (default timeout: 200ms).
    GrpcServiceOrBuilder
    getGrpcServiceOrBuilder()
    gRPC service configuration (default timeout: 200ms).
    HttpService
    getHttpService()
    HTTP service configuration (default timeout: 200ms).
    HttpServiceOrBuilder
    getHttpServiceOrBuilder()
    HTTP service configuration (default timeout: 200ms).
    boolean
    getIncludePeerCertificate()
    Specifies if the peer certificate is sent to the external service.
    boolean
    getIncludeTlsSession()
    Specifies if the TLS session level details like SNI are sent to the external service.
    int
    getMaxDeniedResponseBodyBytes()
    Sets the maximum size (in bytes) of the response body that the filter will send downstream when a request is denied by the external authorization service.
    String
    getMetadataContextNamespaces(int index)
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    com.google.protobuf.ByteString
    getMetadataContextNamespacesBytes(int index)
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    int
    getMetadataContextNamespacesCount()
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    List<String>
    getMetadataContextNamespacesList()
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    String
    getRouteMetadataContextNamespaces(int index)
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    com.google.protobuf.ByteString
    getRouteMetadataContextNamespacesBytes(int index)
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    int
    getRouteMetadataContextNamespacesCount()
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    List<String>
    getRouteMetadataContextNamespacesList()
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    String
    getRouteTypedMetadataContextNamespaces(int index)
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    com.google.protobuf.ByteString
    getRouteTypedMetadataContextNamespacesBytes(int index)
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    int
    getRouteTypedMetadataContextNamespacesCount()
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    List<String>
    getRouteTypedMetadataContextNamespacesList()
    Specifies a list of route metadata namespaces whose values, if present, will be passed to the ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
    ExtAuthz.ServicesCase
    getServicesCase()
     
    String
    getStatPrefix()
    Optional additional prefix to use when emitting statistics.
    com.google.protobuf.ByteString
    getStatPrefixBytes()
    Optional additional prefix to use when emitting statistics.
    HttpStatus
    getStatusOnError()
    Sets the HTTP status that is returned to the client when the authorization server returns an error or cannot be reached.
    HttpStatusOrBuilder
    getStatusOnErrorOrBuilder()
    Sets the HTTP status that is returned to the client when the authorization server returns an error or cannot be reached.
    ApiVersion
    getTransportApiVersion()
    API version for ext_authz transport protocol.
    int
    getTransportApiVersionValue()
    API version for ext_authz transport protocol.
    String
    getTypedMetadataContextNamespaces(int index)
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    com.google.protobuf.ByteString
    getTypedMetadataContextNamespacesBytes(int index)
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    int
    getTypedMetadataContextNamespacesCount()
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    List<String>
    getTypedMetadataContextNamespacesList()
    Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
    boolean
    getValidateMutations()
    When set to ``true``, the filter will check the :ref:`ext_authz response <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and query parameter mutations.
    BufferSettings
    getWithRequestBody()
    Enables the filter to buffer the client request body and send it within the authorization request.
    BufferSettingsOrBuilder
    getWithRequestBodyOrBuilder()
    Enables the filter to buffer the client request body and send it within the authorization request.
    boolean
    hasAllowedHeaders()
    Check request to authorization server will include the client request headers that have a correspondent match in the list.
    boolean
    hasChargeClusterResponseStats()
    Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
    boolean
    hasDecoderHeaderMutationRules()
    Rules for what modifications an ext_authz server may make to the request headers before continuing decoding or forwarding upstream.
    boolean
    hasDenyAtDisable()
    Specifies whether to deny the requests when the filter is disabled.
    boolean
    hasDisallowedHeaders()
    If set, specifically disallow any header in this list to be forwarded to the external authentication server.
    boolean
    hasEnableDynamicMetadataIngestion()
    Enable or disable ingestion of dynamic metadata from the ext_authz service.
    boolean
    hasFilterEnabled()
    Specifies if the filter is enabled.
    boolean
    hasFilterEnabledMetadata()
    Specifies if the filter is enabled with metadata matcher.
    boolean
    hasFilterMetadata()
    Additional metadata to be added to the filter state for logging purposes.
    boolean
    hasGrpcService()
    gRPC service configuration (default timeout: 200ms).
    boolean
    hasHttpService()
    HTTP service configuration (default timeout: 200ms).
    boolean
    hasStatusOnError()
    Sets the HTTP status that is returned to the client when the authorization server returns an error or cannot be reached.
    boolean
    hasWithRequestBody()
    Enables the filter to buffer the client request body and send it within the authorization request.

    Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

    isInitialized

    Methods inherited from interface com.google.protobuf.MessageOrBuilder

    findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

  • Method Details

    • hasGrpcService

      boolean hasGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;
      Returns:
      Whether the grpcService field is set.

    • getGrpcService

      GrpcService getGrpcService()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;
      Returns:
      The grpcService.

    • getGrpcServiceOrBuilder

      GrpcServiceOrBuilder getGrpcServiceOrBuilder()
       gRPC service configuration (default timeout: 200ms).
      .envoy.config.core.v3.GrpcService grpc_service = 1;

    • hasHttpService

      boolean hasHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
      Returns:
      Whether the httpService field is set.

    • getHttpService

      HttpService getHttpService()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
      Returns:
      The httpService.

    • getHttpServiceOrBuilder

      HttpServiceOrBuilder getHttpServiceOrBuilder()
       HTTP service configuration (default timeout: 200ms).
      .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

    • getTransportApiVersionValue

      int getTransportApiVersionValue()
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Returns:
      The enum numeric value on the wire for transportApiVersion.

    • getTransportApiVersion

      ApiVersion getTransportApiVersion()
       API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
      .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
      Returns:
      The transportApiVersion.

    • getFailureModeAllow

      boolean getFailureModeAllow()
       Changes the filter's behavior on errors:

 * When set to ``true``, the filter will ``accept`` the client request even if communication with
   the authorization service has failed, or if the authorization service has returned an HTTP 5xx
   error.

 * When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden``
   if communication with the authorization service has failed, or if the authorization service
   has returned an HTTP 5xx error.

 Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`.

 Defaults to ``false``.
      bool failure_mode_allow = 2;
      Returns:
      The failureModeAllow.

    • getFailureModeAllowHeaderAdd

      boolean getFailureModeAllowHeaderAdd()
       When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``,
 ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication
 with the authorization service has failed, or if the authorization service has returned a
 HTTP 5xx error.
      bool failure_mode_allow_header_add = 19;
      Returns:
      The failureModeAllowHeaderAdd.

    • hasWithRequestBody

      boolean hasWithRequestBody()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
      Returns:
      Whether the withRequestBody field is set.

    • getWithRequestBody

      BufferSettings getWithRequestBody()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
      Returns:
      The withRequestBody.

    • getWithRequestBodyOrBuilder

      BufferSettingsOrBuilder getWithRequestBodyOrBuilder()
       Enables the filter to buffer the client request body and send it within the authorization request.
 The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request indicating whether the body data is partial.
      .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

    • getClearRouteCache

      boolean getClearRouteCache()
       Clears the route cache in order to allow the external authorization service to correctly affect
 routing decisions. The filter clears all cached routes when all of the following holds:

 * This field is set to ``true``.
 * The status returned from the authorization service is an HTTP 200 or gRPC 0.
 * At least one ``authorization response header`` is added to the client request, or is used to
   alter another client request header.

 Defaults to ``false``.
      bool clear_route_cache = 6;
      Returns:
      The clearRouteCache.

    • hasStatusOnError

      boolean hasStatusOnError()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;
      Returns:
      Whether the statusOnError field is set.

    • getStatusOnError

      HttpStatus getStatusOnError()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;
      Returns:
      The statusOnError.

    • getStatusOnErrorOrBuilder

      HttpStatusOrBuilder getStatusOnErrorOrBuilder()
       Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached.

 The default status is ``HTTP 403 Forbidden``.
      .envoy.type.v3.HttpStatus status_on_error = 7;

    • getValidateMutations

      boolean getValidateMutations()
       When set to ``true``, the filter will check the :ref:`ext_authz response
 <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and
 query parameter mutations. If the response is invalid, the filter will send a local reply
 to the downstream request with status ``HTTP 500 Internal Server Error``.

 .. note::
   Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in
   those fields should not affect any headers and thus will not cause the filter to send a local reply.

 When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause
 unexpected behavior.

 If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``.

 Defaults to ``false``.
      bool validate_mutations = 24;
      Returns:
      The validateMutations.

    • getMetadataContextNamespacesList

      List<String> getMetadataContextNamespacesList()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Returns:
      A list containing the metadataContextNamespaces.

    • getMetadataContextNamespacesCount

      int getMetadataContextNamespacesCount()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Returns:
      The count of metadataContextNamespaces.

    • getMetadataContextNamespaces

      String getMetadataContextNamespaces(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      index - The index of the element to return.
      Returns:
      The metadataContextNamespaces at the given index.

    • getMetadataContextNamespacesBytes

      com.google.protobuf.ByteString getMetadataContextNamespacesBytes(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
 is passed as an opaque ``protobuf::Struct``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.

 .. code-block:: yaml

    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
      repeated string metadata_context_namespaces = 8;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the metadataContextNamespaces at the given index.

    • getTypedMetadataContextNamespacesList

      List<String> getTypedMetadataContextNamespacesList()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Returns:
      A list containing the typedMetadataContextNamespaces.

    • getTypedMetadataContextNamespacesCount

      int getTypedMetadataContextNamespacesCount()
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Returns:
      The count of typedMetadataContextNamespaces.

    • getTypedMetadataContextNamespaces

      String getTypedMetadataContextNamespaces(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Parameters:
      index - The index of the element to return.
      Returns:
      The typedMetadataContextNamespaces at the given index.

    • getTypedMetadataContextNamespacesBytes

      com.google.protobuf.ByteString getTypedMetadataContextNamespacesBytes(int index)
       Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
 is passed as a ``protobuf::Any``.

 .. note::
   This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service.

 This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share
 the protobuf message definition in order to perform safe parsing.
      repeated string typed_metadata_context_namespaces = 16;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the typedMetadataContextNamespaces at the given index.

    • getRouteMetadataContextNamespacesList

      List<String> getRouteMetadataContextNamespacesList()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Returns:
      A list containing the routeMetadataContextNamespaces.

    • getRouteMetadataContextNamespacesCount

      int getRouteMetadataContextNamespacesCount()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Returns:
      The count of routeMetadataContextNamespaces.

    • getRouteMetadataContextNamespaces

      String getRouteMetadataContextNamespaces(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Parameters:
      index - The index of the element to return.
      Returns:
      The routeMetadataContextNamespaces at the given index.

    • getRouteMetadataContextNamespacesBytes

      com.google.protobuf.ByteString getRouteMetadataContextNamespacesBytes(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
      repeated string route_metadata_context_namespaces = 21;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the routeMetadataContextNamespaces at the given index.

    • getRouteTypedMetadataContextNamespacesList

      List<String> getRouteTypedMetadataContextNamespacesList()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Returns:
      A list containing the routeTypedMetadataContextNamespaces.

    • getRouteTypedMetadataContextNamespacesCount

      int getRouteTypedMetadataContextNamespacesCount()
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Returns:
      The count of routeTypedMetadataContextNamespaces.

    • getRouteTypedMetadataContextNamespaces

      String getRouteTypedMetadataContextNamespaces(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Parameters:
      index - The index of the element to return.
      Returns:
      The routeTypedMetadataContextNamespaces at the given index.

    • getRouteTypedMetadataContextNamespacesBytes

      com.google.protobuf.ByteString getRouteTypedMetadataContextNamespacesBytes(int index)
       Specifies a list of route metadata namespaces whose values, if present, will be passed to the
 ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in
 :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`.
 :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``.
      repeated string route_typed_metadata_context_namespaces = 22;
      Parameters:
      index - The index of the value to return.
      Returns:
      The bytes of the routeTypedMetadataContextNamespaces at the given index.

    • hasFilterEnabled

      boolean hasFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
      Returns:
      Whether the filterEnabled field is set.

    • getFilterEnabled

      RuntimeFractionalPercent getFilterEnabled()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
      Returns:
      The filterEnabled.

    • getFilterEnabledOrBuilder

      RuntimeFractionalPercentOrBuilder getFilterEnabledOrBuilder()
       Specifies if the filter is enabled.

 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.

 If this field is not specified, the filter will be enabled for all requests.
      .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

    • hasFilterEnabledMetadata

      boolean hasFilterEnabledMetadata()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
      Returns:
      Whether the filterEnabledMetadata field is set.

    • getFilterEnabledMetadata

      MetadataMatcher getFilterEnabledMetadata()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
      Returns:
      The filterEnabledMetadata.

    • getFilterEnabledMetadataOrBuilder

      MetadataMatcherOrBuilder getFilterEnabledMetadataOrBuilder()
       Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.

 .. note::

   This field is only evaluated if the filter is instantiated. If the filter is marked with
   ``disabled: true`` in the :ref:`HttpFilter
   <envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.HttpFilter>`
   configuration or in per-route configuration via :ref:`ExtAuthzPerRoute
   <envoy_v3_api_msg_extensions.filters.http.ext_authz.v3.ExtAuthzPerRoute>`,
   the filter will not be instantiated and this field will have no effect.

 .. tip::

   For dynamic filter activation based on metadata (such as metadata set by a preceding
   filter), consider using :ref:`ExtensionWithMatcher
   <envoy_v3_api_msg_extensions.common.matching.v3.ExtensionWithMatcher>` instead. This
   provides a more flexible matching framework that can evaluate conditions before filter
   instantiation. See the :ref:`ext_authz filter documentation
   <config_http_filters_ext_authz>` for examples.
      .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

    • hasDenyAtDisable

      boolean hasDenyAtDisable()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
      Returns:
      Whether the denyAtDisable field is set.

    • getDenyAtDisable

      RuntimeFeatureFlag getDenyAtDisable()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
      Returns:
      The denyAtDisable.

    • getDenyAtDisableOrBuilder

      RuntimeFeatureFlagOrBuilder getDenyAtDisableOrBuilder()
       Specifies whether to deny the requests when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths
 when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path,
 requests will not be denied.

 If this field is not specified, all requests will be allowed when disabled.

 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
      .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

    • getIncludePeerCertificate

      boolean getIncludePeerCertificate()
       Specifies if the peer certificate is sent to the external service.

 When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
      bool include_peer_certificate = 10;
      Returns:
      The includePeerCertificate.

    • getStatPrefix

      String getStatPrefix()
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Returns:
      The statPrefix.

    • getStatPrefixBytes

      com.google.protobuf.ByteString getStatPrefixBytes()
       Optional additional prefix to use when emitting statistics. This allows distinguishing
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:

 .. code-block:: yaml

   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
      string stat_prefix = 13;
      Returns:
      The bytes for statPrefix.

    • getBootstrapMetadataLabelsKey

      String getBootstrapMetadataLabelsKey()
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Returns:
      The bootstrapMetadataLabelsKey.

    • getBootstrapMetadataLabelsKeyBytes

      com.google.protobuf.ByteString getBootstrapMetadataLabelsKeyBytes()
       Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
      string bootstrap_metadata_labels_key = 15;
      Returns:
      The bytes for bootstrapMetadataLabelsKey.

    • hasAllowedHeaders

      boolean hasAllowedHeaders()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;
      Returns:
      Whether the allowedHeaders field is set.

    • getAllowedHeaders

      ListStringMatcher getAllowedHeaders()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;
      Returns:
      The allowedHeaders.

    • getAllowedHeadersOrBuilder

      ListStringMatcherOrBuilder getAllowedHeadersOrBuilder()
       Check request to authorization server will include the client request headers that have a correspondent match
 in the list. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.

 .. note::

  For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
  ``Content-Length``, and ``Authorization`` are **additionally included** in the list.

 .. note::

  For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting);
  consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload.

 .. note::

  This can be overridden by the field ``disallowed_headers`` below. That is, if a header
  matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent.
      .envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

    • hasDisallowedHeaders

      boolean hasDisallowedHeaders()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;
      Returns:
      Whether the disallowedHeaders field is set.

    • getDisallowedHeaders

      ListStringMatcher getDisallowedHeaders()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;
      Returns:
      The disallowedHeaders.

    • getDisallowedHeadersOrBuilder

      ListStringMatcherOrBuilder getDisallowedHeadersOrBuilder()
       If set, specifically disallow any header in this list to be forwarded to the external
 authentication server. This overrides the above ``allowed_headers`` if a header matches both.
      .envoy.type.matcher.v3.ListStringMatcher disallowed_headers = 25;

    • getIncludeTlsSession

      boolean getIncludeTlsSession()
       Specifies if the TLS session level details like SNI are sent to the external service.

 When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the
 :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
      bool include_tls_session = 18;
      Returns:
      The includeTlsSession.

    • hasChargeClusterResponseStats

      boolean hasChargeClusterResponseStats()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;
      Returns:
      Whether the chargeClusterResponseStats field is set.

    • getChargeClusterResponseStats

      com.google.protobuf.BoolValue getChargeClusterResponseStats()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;
      Returns:
      The chargeClusterResponseStats.

    • getChargeClusterResponseStatsOrBuilder

      com.google.protobuf.BoolValueOrBuilder getChargeClusterResponseStatsOrBuilder()
       Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure.
 Defaults to ``true``.
      .google.protobuf.BoolValue charge_cluster_response_stats = 20;

    • getEncodeRawHeaders

      boolean getEncodeRawHeaders()
       Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers)
 in the authorization request. Works with both HTTP and gRPC clients.

 When this is set to ``true``, header values are not sanitized. Headers with the same key will also
 not be combined into a single, comma-separated header.
 Requests to gRPC services will populate the field
 :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
 Requests to HTTP services will be constructed with the unsanitized header values and preserved
 multi-line headers with the same key.

 If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant
 bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a
 single comma-separated header value.
 Requests to gRPC services will populate the field
 :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
 Requests to HTTP services will have their header values sanitized and will not preserve
 multi-line headers with the same key.

 It is recommended to set this to ``true`` unless you rely on the previous behavior.

 It is set to ``false`` by default for backwards compatibility.
      bool encode_raw_headers = 23;
      Returns:
      The encodeRawHeaders.

    • hasDecoderHeaderMutationRules

      boolean hasDecoderHeaderMutationRules()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
      Returns:
      Whether the decoderHeaderMutationRules field is set.

    • getDecoderHeaderMutationRules

      HeaderMutationRules getDecoderHeaderMutationRules()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;
      Returns:
      The decoderHeaderMutationRules.

    • getDecoderHeaderMutationRulesOrBuilder

      HeaderMutationRulesOrBuilder getDecoderHeaderMutationRulesOrBuilder()
       Rules for what modifications an ext_authz server may make to the request headers before
 continuing decoding or forwarding upstream.

 If set, enables header mutation checking against the configured rules. Note that
 :ref:`HeaderMutationRules <envoy_v3_api_msg_config.common.mutation_rules.v3.HeaderMutationRules>`
 has defaults that change ext_authz behavior. Also note that if this field is set,
 ext_authz can no longer append to ``:``-prefixed headers.

 If unset, header mutation rule checking is completely disabled.

 Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers.

 This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables
 correctness checks for all header and query parameter mutations (for example, invalid characters).
 This field allows the filter to reject mutations to specific headers.
      .envoy.config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26;

    • hasEnableDynamicMetadataIngestion

      boolean hasEnableDynamicMetadataIngestion()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
      Returns:
      Whether the enableDynamicMetadataIngestion field is set.

    • getEnableDynamicMetadataIngestion

      com.google.protobuf.BoolValue getEnableDynamicMetadataIngestion()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;
      Returns:
      The enableDynamicMetadataIngestion.

    • getEnableDynamicMetadataIngestionOrBuilder

      com.google.protobuf.BoolValueOrBuilder getEnableDynamicMetadataIngestionOrBuilder()
       Enable or disable ingestion of dynamic metadata from the ext_authz service.

 If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the
 ext_authz service tries injecting dynamic metadata, the filter will log, increment the
 ``ignored_dynamic_metadata`` stat, then continue handling the response.

 If ``true``, the filter will ingest dynamic metadata entries as normal.

 If unset, defaults to ``true``.
      .google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27;

    • hasFilterMetadata

      boolean hasFilterMetadata()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;
      Returns:
      Whether the filterMetadata field is set.

    • getFilterMetadata

      com.google.protobuf.Struct getFilterMetadata()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;
      Returns:
      The filterMetadata.

    • getFilterMetadataOrBuilder

      com.google.protobuf.StructOrBuilder getFilterMetadataOrBuilder()
       Additional metadata to be added to the filter state for logging purposes. The metadata will be
 added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter
 name.
      .google.protobuf.Struct filter_metadata = 28;

    • getEmitFilterStateStats

      boolean getEmitFilterStateStats()
       When set to ``true``, the filter will emit per-stream stats for access logging. The filter state
 key will be the same as the filter name.

 If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
 info. If not using Envoy gRPC, emits only latency.

 .. note::
   Stats are ONLY added to filter state if a check request is actually made to an ext_authz service.

 If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if
 it has a value.

 Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service.
 Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service.
      bool emit_filter_state_stats = 29;
      Returns:
      The emitFilterStateStats.

    • getMaxDeniedResponseBodyBytes

      int getMaxDeniedResponseBodyBytes()
       Sets the maximum size (in bytes) of the response body that the filter will send downstream
 when a request is denied by the external authorization service.

 If the authorization server returns a response body larger than this configured limit,
 the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the
 downstream client.

 If this field is not set or is set to 0, no truncation will occur, and the entire
 denied response body will be forwarded.
      uint32 max_denied_response_body_bytes = 30;
      Returns:
      The maxDeniedResponseBodyBytes.

    • getEnforceResponseHeaderLimits

      boolean getEnforceResponseHeaderLimits()
       When set to ``true``, the filter will enforce the response header map's count and size limits
 by sending a local reply when those limits are violated.

 When set to ``false``, the filter will ignore the response header map's limits and add / set
 all response headers as specified by the external authorization service.

 Recommendation: enable if the external authorization service is not trusted. Otherwise, leave
 it ``false``.

 Defaults to ``false``.
      bool enforce_response_header_limits = 31;
      Returns:
      The enforceResponseHeaderLimits.

    • getServicesCase

      ExtAuthz.ServicesCase getServicesCase()