io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3

Interface ExtAuthzOrBuilder

All Superinterfaces:

com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder

All Known Implementing Classes:

ExtAuthz, ExtAuthz.Builder

public interface ExtAuthzOrBuilder
extends com.google.protobuf.MessageOrBuilder

Method Summary

Modifier and Type	Method and Description
boolean	getClearRouteCache() Clears route cache in order to allow the external authorization service to correctly affect routing decisions.
RuntimeFeatureFlag	getDenyAtDisable() Specifies whether to deny the requests, when the filter is disabled.
RuntimeFeatureFlagOrBuilder	getDenyAtDisableOrBuilder() Specifies whether to deny the requests, when the filter is disabled.
boolean	getFailureModeAllow() Changes filter's behaviour on errors: 1.
RuntimeFractionalPercent	getFilterEnabled() Specifies if the filter is enabled.
MetadataMatcher	getFilterEnabledMetadata() Specifies if the filter is enabled with metadata matcher.
MetadataMatcherOrBuilder	getFilterEnabledMetadataOrBuilder() Specifies if the filter is enabled with metadata matcher.
RuntimeFractionalPercentOrBuilder	getFilterEnabledOrBuilder() Specifies if the filter is enabled.
GrpcService	getGrpcService() gRPC service configuration (default timeout: 200ms).
GrpcServiceOrBuilder	getGrpcServiceOrBuilder() gRPC service configuration (default timeout: 200ms).
HttpService	getHttpService() HTTP service configuration (default timeout: 200ms).
HttpServiceOrBuilder	getHttpServiceOrBuilder() HTTP service configuration (default timeout: 200ms).
boolean	getIncludePeerCertificate() Specifies if the peer certificate is sent to the external service.
String	getMetadataContextNamespaces(int index) Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service as an opaque *protobuf::Struct*.
com.google.protobuf.ByteString	getMetadataContextNamespacesBytes(int index) Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service as an opaque *protobuf::Struct*.
int	getMetadataContextNamespacesCount() Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service as an opaque *protobuf::Struct*.
List<String>	getMetadataContextNamespacesList() Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service as an opaque *protobuf::Struct*.
ExtAuthz.ServicesCase	getServicesCase()
String	getStatPrefix() Optional additional prefix to use when emitting statistics.
com.google.protobuf.ByteString	getStatPrefixBytes() Optional additional prefix to use when emitting statistics.
HttpStatus	getStatusOnError() Sets the HTTP status that is returned to the client when there is a network error between the filter and the authorization server.
HttpStatusOrBuilder	getStatusOnErrorOrBuilder() Sets the HTTP status that is returned to the client when there is a network error between the filter and the authorization server.
ApiVersion	getTransportApiVersion() API version for ext_authz transport protocol.
int	getTransportApiVersionValue() API version for ext_authz transport protocol.
BufferSettings	getWithRequestBody() Enables filter to buffer the client request body and send it within the authorization request.
BufferSettingsOrBuilder	getWithRequestBodyOrBuilder() Enables filter to buffer the client request body and send it within the authorization request.
boolean	hasDenyAtDisable() Specifies whether to deny the requests, when the filter is disabled.
boolean	hasFilterEnabled() Specifies if the filter is enabled.
boolean	hasFilterEnabledMetadata() Specifies if the filter is enabled with metadata matcher.
boolean	hasGrpcService() gRPC service configuration (default timeout: 200ms).
boolean	hasHttpService() HTTP service configuration (default timeout: 200ms).
boolean	hasStatusOnError() Sets the HTTP status that is returned to the client when there is a network error between the filter and the authorization server.
boolean	hasWithRequestBody() Enables filter to buffer the client request body and send it within the authorization request.

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

isInitialized

Method Detail

hasGrpcService

boolean hasGrpcService()

 gRPC service configuration (default timeout: 200ms).
 

.envoy.config.core.v3.GrpcService grpc_service = 1;

getGrpcService

GrpcService getGrpcService()

 gRPC service configuration (default timeout: 200ms).
 

.envoy.config.core.v3.GrpcService grpc_service = 1;

getGrpcServiceOrBuilder

GrpcServiceOrBuilder getGrpcServiceOrBuilder()

 gRPC service configuration (default timeout: 200ms).
 

.envoy.config.core.v3.GrpcService grpc_service = 1;

hasHttpService

boolean hasHttpService()

 HTTP service configuration (default timeout: 200ms).
 

.envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

getHttpService

HttpService getHttpService()

 HTTP service configuration (default timeout: 200ms).
 

.envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

getHttpServiceOrBuilder

HttpServiceOrBuilder getHttpServiceOrBuilder()

 HTTP service configuration (default timeout: 200ms).
 

.envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

getTransportApiVersionValue

int getTransportApiVersionValue()

 API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
 

.envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }

getTransportApiVersion

ApiVersion getTransportApiVersion()

 API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
 

.envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }

getFailureModeAllow

boolean getFailureModeAllow()

  Changes filter's behaviour on errors:
  1. When set to true, the filter will *accept* client request even if the communication with
  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
  error.
  2. When set to false, ext-authz will *reject* client requests and return a *Forbidden*
  response if the communication with the authorization service has failed, or if the
  authorization service has returned a HTTP 5xx error.
 Note that errors can be *always* tracked in the :ref:`stats
 <config_http_filters_ext_authz_stats>`.
 

bool failure_mode_allow = 2;

hasWithRequestBody

boolean hasWithRequestBody()

 Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
 

.envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

getWithRequestBody

BufferSettings getWithRequestBody()

 Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
 

.envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

getWithRequestBodyOrBuilder

BufferSettingsOrBuilder getWithRequestBodyOrBuilder()

 Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
 

.envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

getClearRouteCache

boolean getClearRouteCache()

 Clears route cache in order to allow the external authorization service to correctly affect
 routing decisions. Filter clears all cached routes when:
 1. The field is set to *true*.
 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
 3. At least one *authorization response header* is added to the client request, or is used for
 altering another client request header.
 

bool clear_route_cache = 6;

hasStatusOnError

boolean hasStatusOnError()

 Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
 

.envoy.type.v3.HttpStatus status_on_error = 7;

getStatusOnError

HttpStatus getStatusOnError()

 Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
 

.envoy.type.v3.HttpStatus status_on_error = 7;

getStatusOnErrorOrBuilder

HttpStatusOrBuilder getStatusOnErrorOrBuilder()

 Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
 

.envoy.type.v3.HttpStatus status_on_error = 7;

getMetadataContextNamespacesList

List<String> getMetadataContextNamespacesList()

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.
 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

getMetadataContextNamespacesCount

int getMetadataContextNamespacesCount()

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.
 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

getMetadataContextNamespaces

String getMetadataContextNamespaces(int index)

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.
 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

getMetadataContextNamespacesBytes

com.google.protobuf.ByteString getMetadataContextNamespacesBytes(int index)

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service as an opaque *protobuf::Struct*.
 For example, if the *jwt_authn* filter is used and :ref:`payload_in_metadata
 <envoy_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

hasFilterEnabled

boolean hasFilterEnabled()

 Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

getFilterEnabled

RuntimeFractionalPercent getFilterEnabled()

 Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

getFilterEnabledOrBuilder

RuntimeFractionalPercentOrBuilder getFilterEnabledOrBuilder()

 Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

hasFilterEnabledMetadata

boolean hasFilterEnabledMetadata()

 Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

getFilterEnabledMetadata

MetadataMatcher getFilterEnabledMetadata()

 Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

getFilterEnabledMetadataOrBuilder

MetadataMatcherOrBuilder getFilterEnabledMetadataOrBuilder()

 Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

hasDenyAtDisable

boolean hasDenyAtDisable()

 Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
 

.envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

getDenyAtDisable

RuntimeFeatureFlag getDenyAtDisable()

 Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
 

.envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

getDenyAtDisableOrBuilder

RuntimeFeatureFlagOrBuilder getDenyAtDisableOrBuilder()

 Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
 

.envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

getIncludePeerCertificate

boolean getIncludePeerCertificate()

 Specifies if the peer certificate is sent to the external service.
 When this field is true, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
 

bool include_peer_certificate = 10;

getStatPrefix

String getStatPrefix()

 Optional additional prefix to use when emitting statistics. This allows to distinguish
 emitted statistics between configured *ext_authz* filters in an HTTP filter chain. For example:
 .. code-block:: yaml
   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
 

string stat_prefix = 13;

getStatPrefixBytes

com.google.protobuf.ByteString getStatPrefixBytes()

 Optional additional prefix to use when emitting statistics. This allows to distinguish
 emitted statistics between configured *ext_authz* filters in an HTTP filter chain. For example:
 .. code-block:: yaml
   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
 

string stat_prefix = 13;

getServicesCase

ExtAuthz.ServicesCase getServicesCase()