Package io.envoyproxy.envoy.config.rbac.v2

Class RBAC

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, Serializable
    public final class RBAC
extends com.google.protobuf.GeneratedMessageV3
implements RBACOrBuilder
     Role Based Access Control (RBAC) provides service-level and method-level access control for a
 service. RBAC policies are additive. The policies are examined in order. A request is allowed
 once a matching policy is found (suppose the `action` is ALLOW).
 Here is an example of RBAC configuration. It has two policies:
 * Service account "cluster.local/ns/default/sa/admin" has full access to the service, and so
   does "cluster.local/ns/default/sa/superuser".
 * Any user can read ("GET") the service at paths with prefix "/products", so long as the
   destination port is either 80 or 443.
  .. code-block:: yaml
   action: ALLOW
   policies:
     "service-admin":
       permissions:
         - any: true
       principals:
         - authenticated:
             principal_name:
               exact: "cluster.local/ns/default/sa/admin"
         - authenticated:
             principal_name:
               exact: "cluster.local/ns/default/sa/superuser"
     "product-viewer":
       permissions:
           - and_rules:
               rules:
                 - header: { name: ":method", exact_match: "GET" }
                 - url_path:
                     path: { prefix: "/products" }
                 - or_rules:
                     rules:
                       - destination_port: 80
                       - destination_port: 443
       principals:
         - any: true
    Protobuf type envoy.config.rbac.v2.RBAC
    See Also:
    Serialized Form

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  RBAC.Action
      Should we do safe-list or block-list style access control?
      static class  RBAC.Builder
      Role Based Access Control (RBAC) provides service-level and method-level access control for a service.

      • Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessageV3

        com.google.protobuf.GeneratedMessageV3.BuilderParent, com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage,​BuilderType extends com.google.protobuf.GeneratedMessageV3.ExtendableBuilder<MessageType,​BuilderType>>, com.google.protobuf.GeneratedMessageV3.ExtendableMessage<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.ExtendableMessageOrBuilder<MessageType extends com.google.protobuf.GeneratedMessageV3.ExtendableMessage>, com.google.protobuf.GeneratedMessageV3.FieldAccessorTable, com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter

      • Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

        com.google.protobuf.AbstractMessageLite.InternalOneOfEnum

    • Field Summary

      Fields 
      Modifier and Type Field Description
      static int ACTION_FIELD_NUMBER  
      static int POLICIES_FIELD_NUMBER  

      • Fields inherited from class com.google.protobuf.GeneratedMessageV3

        alwaysUseFieldBuilders, unknownFields

      • Fields inherited from class com.google.protobuf.AbstractMessage

        memoizedSize

      • Fields inherited from class com.google.protobuf.AbstractMessageLite

        memoizedHashCode

    • Method Detail

      • newInstance

        protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
        Overrides:
        newInstance in class com.google.protobuf.GeneratedMessageV3

      • getUnknownFields

        public final com.google.protobuf.UnknownFieldSet getUnknownFields()
        Specified by:
        getUnknownFields in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getUnknownFields in class com.google.protobuf.GeneratedMessageV3

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetMapField

        protected com.google.protobuf.MapField internalGetMapField​(int number)
        Overrides:
        internalGetMapField in class com.google.protobuf.GeneratedMessageV3

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

      • getActionValue

        public int getActionValue()
         The action to take if a policy matches. The request is allowed if and only if:
   * `action` is "ALLOWED" and at least one policy matches
   * `action` is "DENY" and none of the policies match
        .envoy.config.rbac.v2.RBAC.Action action = 1;
        Specified by:
        getActionValue in interface RBACOrBuilder
        Returns:
        The enum numeric value on the wire for action.

      • getAction

        public RBAC.Action getAction()
         The action to take if a policy matches. The request is allowed if and only if:
   * `action` is "ALLOWED" and at least one policy matches
   * `action` is "DENY" and none of the policies match
        .envoy.config.rbac.v2.RBAC.Action action = 1;
        Specified by:
        getAction in interface RBACOrBuilder
        Returns:
        The action.

      • getPoliciesCount

        public int getPoliciesCount()
        Description copied from interface: RBACOrBuilder
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
        map<string, .envoy.config.rbac.v2.Policy> policies = 2;
        Specified by:
        getPoliciesCount in interface RBACOrBuilder

      • containsPolicies

        public boolean containsPolicies​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
        map<string, .envoy.config.rbac.v2.Policy> policies = 2;
        Specified by:
        containsPolicies in interface RBACOrBuilder

      • getPoliciesMap

        public Map<String,​Policy> getPoliciesMap()
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
        map<string, .envoy.config.rbac.v2.Policy> policies = 2;
        Specified by:
        getPoliciesMap in interface RBACOrBuilder

      • getPoliciesOrDefault

        public Policy getPoliciesOrDefault​(String key,
                                   Policy defaultValue)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
        map<string, .envoy.config.rbac.v2.Policy> policies = 2;
        Specified by:
        getPoliciesOrDefault in interface RBACOrBuilder

      • getPoliciesOrThrow

        public Policy getPoliciesOrThrow​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
        map<string, .envoy.config.rbac.v2.Policy> policies = 2;
        Specified by:
        getPoliciesOrThrow in interface RBACOrBuilder

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessageV3
        Throws:
        IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessageV3

      • equals

        public boolean equals​(Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static RBAC parseFrom​(ByteBuffer data)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(ByteBuffer data,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.ByteString data)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.ByteString data,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(byte[] data)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(byte[] data,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.CodedInputStream input,
                             com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                      throws IOException
        Throws:
        IOException

      • newBuilderForType

        public RBAC.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public RBAC.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected RBAC.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
        Specified by:
        newBuilderForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstance

        public static RBAC getDefaultInstance()

      • parser

        public static com.google.protobuf.Parser<RBAC> parser()

      • getParserForType

        public com.google.protobuf.Parser<RBAC> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstanceForType

        public RBAC getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder