Package io.envoyproxy.envoy.config.rbac.v3

Class RBAC.Builder

  • All Implemented Interfaces:
    com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, Cloneable
    Enclosing class:
    RBAC
    public static final class RBAC.Builder
extends com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>
implements RBACOrBuilder
     Role Based Access Control (RBAC) provides service-level and method-level access control for a
 service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
 found. For instance, if the action is ALLOW and a matching policy is found the request should be
 allowed.
 RBAC can also be used to make access logging decisions by communicating with access loggers
 through dynamic metadata. When the action is LOG and at least one policy matches, the
 ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
 the request should be logged.
 Here is an example of RBAC configuration. It has two policies:
 * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
   does "cluster.local/ns/default/sa/superuser".
 * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
   destination port is either 80 or 443.
  .. code-block:: yaml
   action: ALLOW
   policies:
     "service-admin":
       permissions:
         - any: true
       principals:
         - authenticated:
             principal_name:
               exact: "cluster.local/ns/default/sa/admin"
         - authenticated:
             principal_name:
               exact: "cluster.local/ns/default/sa/superuser"
     "product-viewer":
       permissions:
           - and_rules:
               rules:
                 - header:
                     name: ":method"
                     string_match:
                       exact: "GET"
                 - url_path:
                     path: { prefix: "/products" }
                 - or_rules:
                     rules:
                       - destination_port: 80
                       - destination_port: 443
       principals:
         - any: true
    Protobuf type envoy.config.rbac.v3.RBAC

    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetMapField

        protected com.google.protobuf.MapField internalGetMapField​(int number)
        Overrides:
        internalGetMapField in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • internalGetMutableMapField

        protected com.google.protobuf.MapField internalGetMutableMapField​(int number)
        Overrides:
        internalGetMutableMapField in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • clear

        public RBAC.Builder clear()
        Specified by:
        clear in interface com.google.protobuf.Message.Builder
        Specified by:
        clear in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        clear in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • getDescriptorForType

        public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
        Specified by:
        getDescriptorForType in interface com.google.protobuf.Message.Builder
        Specified by:
        getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getDescriptorForType in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • getDefaultInstanceForType

        public RBAC getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder

      • build

        public RBAC build()
        Specified by:
        build in interface com.google.protobuf.Message.Builder
        Specified by:
        build in interface com.google.protobuf.MessageLite.Builder

      • buildPartial

        public RBAC buildPartial()
        Specified by:
        buildPartial in interface com.google.protobuf.Message.Builder
        Specified by:
        buildPartial in interface com.google.protobuf.MessageLite.Builder

      • clone

        public RBAC.Builder clone()
        Specified by:
        clone in interface com.google.protobuf.Message.Builder
        Specified by:
        clone in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        clone in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • setField

        public RBAC.Builder setField​(com.google.protobuf.Descriptors.FieldDescriptor field,
                             Object value)
        Specified by:
        setField in interface com.google.protobuf.Message.Builder
        Overrides:
        setField in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • clearField

        public RBAC.Builder clearField​(com.google.protobuf.Descriptors.FieldDescriptor field)
        Specified by:
        clearField in interface com.google.protobuf.Message.Builder
        Overrides:
        clearField in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • clearOneof

        public RBAC.Builder clearOneof​(com.google.protobuf.Descriptors.OneofDescriptor oneof)
        Specified by:
        clearOneof in interface com.google.protobuf.Message.Builder
        Overrides:
        clearOneof in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • setRepeatedField

        public RBAC.Builder setRepeatedField​(com.google.protobuf.Descriptors.FieldDescriptor field,
                                     int index,
                                     Object value)
        Specified by:
        setRepeatedField in interface com.google.protobuf.Message.Builder
        Overrides:
        setRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • addRepeatedField

        public RBAC.Builder addRepeatedField​(com.google.protobuf.Descriptors.FieldDescriptor field,
                                     Object value)
        Specified by:
        addRepeatedField in interface com.google.protobuf.Message.Builder
        Overrides:
        addRepeatedField in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • mergeFrom

        public RBAC.Builder mergeFrom​(com.google.protobuf.Message other)
        Specified by:
        mergeFrom in interface com.google.protobuf.Message.Builder
        Overrides:
        mergeFrom in class com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • mergeFrom

        public RBAC.Builder mergeFrom​(com.google.protobuf.CodedInputStream input,
                              com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                       throws IOException
        Specified by:
        mergeFrom in interface com.google.protobuf.Message.Builder
        Specified by:
        mergeFrom in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        mergeFrom in class com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>
        Throws:
        IOException

      • getActionValue

        public int getActionValue()
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getActionValue in interface RBACOrBuilder
        Returns:
        The enum numeric value on the wire for action.

      • setActionValue

        public RBAC.Builder setActionValue​(int value)
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Parameters:
        value - The enum numeric value on the wire for action to set.
        Returns:
        This builder for chaining.

      • getAction

        public RBAC.Action getAction()
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getAction in interface RBACOrBuilder
        Returns:
        The action.

      • setAction

        public RBAC.Builder setAction​(RBAC.Action value)
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Parameters:
        value - The action to set.
        Returns:
        This builder for chaining.

      • clearAction

        public RBAC.Builder clearAction()
         The action to take if a policy matches. Every action either allows or denies a request,
 and can also carry out action-specific operations.
 Actions:
  * ``ALLOW``: Allows the request if and only if there is a policy that matches
    the request.
  * ``DENY``: Allows the request if and only if there are no policies that
    match the request.
  * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
    metadata key ``access_log_hint`` is set to the value ``true`` under the shared
    key namespace ``envoy.common``. If no policies match, it is set to ``false``.
    Other actions do not modify this key.
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Returns:
        This builder for chaining.

      • getPoliciesCount

        public int getPoliciesCount()
        Description copied from interface: RBACOrBuilder
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesCount in interface RBACOrBuilder

      • containsPolicies

        public boolean containsPolicies​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        containsPolicies in interface RBACOrBuilder

      • getPoliciesMap

        public Map<String,​Policy> getPoliciesMap()
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesMap in interface RBACOrBuilder

      • getPoliciesOrDefault

        public Policy getPoliciesOrDefault​(String key,
                                   Policy defaultValue)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrDefault in interface RBACOrBuilder

      • getPoliciesOrThrow

        public Policy getPoliciesOrThrow​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrThrow in interface RBACOrBuilder

      • removePolicies

        public RBAC.Builder removePolicies​(String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;

      • getMutablePolicies

        @Deprecated
public Map<String,​Policy> getMutablePolicies()
        Deprecated.
        Use alternate mutation accessors instead.

      • putPolicies

        public RBAC.Builder putPolicies​(String key,
                                Policy value)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;

      • putAllPolicies

        public RBAC.Builder putAllPolicies​(Map<String,​Policy> values)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
 The policies are evaluated in lexicographic order of the policy name.
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;

      • setUnknownFields

        public final RBAC.Builder setUnknownFields​(com.google.protobuf.UnknownFieldSet unknownFields)
        Specified by:
        setUnknownFields in interface com.google.protobuf.Message.Builder
        Overrides:
        setUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>

      • mergeUnknownFields

        public final RBAC.Builder mergeUnknownFields​(com.google.protobuf.UnknownFieldSet unknownFields)
        Specified by:
        mergeUnknownFields in interface com.google.protobuf.Message.Builder
        Overrides:
        mergeUnknownFields in class com.google.protobuf.GeneratedMessageV3.Builder<RBAC.Builder>