Package io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3

Interface ExtAuthzOrBuilder

  • All Superinterfaces:
    com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder
    All Known Implementing Classes:
    ExtAuthz, ExtAuthz.Builder
    public interface ExtAuthzOrBuilder
extends com.google.protobuf.MessageOrBuilder

    • Method Detail

      • hasGrpcService

        boolean hasGrpcService()
         gRPC service configuration (default timeout: 200ms).
        .envoy.config.core.v3.GrpcService grpc_service = 1;
        Returns:
        Whether the grpcService field is set.

      • getGrpcService

        GrpcService getGrpcService()
         gRPC service configuration (default timeout: 200ms).
        .envoy.config.core.v3.GrpcService grpc_service = 1;
        Returns:
        The grpcService.

      • getGrpcServiceOrBuilder

        GrpcServiceOrBuilder getGrpcServiceOrBuilder()
         gRPC service configuration (default timeout: 200ms).
        .envoy.config.core.v3.GrpcService grpc_service = 1;

      • hasHttpService

        boolean hasHttpService()
         HTTP service configuration (default timeout: 200ms).
        .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
        Returns:
        Whether the httpService field is set.

      • getHttpService

        HttpService getHttpService()
         HTTP service configuration (default timeout: 200ms).
        .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;
        Returns:
        The httpService.

      • getHttpServiceOrBuilder

        HttpServiceOrBuilder getHttpServiceOrBuilder()
         HTTP service configuration (default timeout: 200ms).
        .envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

      • getTransportApiVersionValue

        int getTransportApiVersionValue()
         API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
        .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
        Returns:
        The enum numeric value on the wire for transportApiVersion.

      • getTransportApiVersion

        ApiVersion getTransportApiVersion()
         API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
        .envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }
        Returns:
        The transportApiVersion.

      • getFailureModeAllow

        boolean getFailureModeAllow()
          Changes filter's behaviour on errors:
  1. When set to true, the filter will ``accept`` client request even if the communication with
  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
  error.
  2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden``
  response if the communication with the authorization service has failed, or if the
  authorization service has returned a HTTP 5xx error.
 Note that errors can be ``always`` tracked in the :ref:`stats
 <config_http_filters_ext_authz_stats>`.
        bool failure_mode_allow = 2;
        Returns:
        The failureModeAllow.

      • hasWithRequestBody

        boolean hasWithRequestBody()
         Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
        .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
        Returns:
        Whether the withRequestBody field is set.

      • getWithRequestBody

        BufferSettings getWithRequestBody()
         Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
        .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;
        Returns:
        The withRequestBody.

      • getWithRequestBodyOrBuilder

        BufferSettingsOrBuilder getWithRequestBodyOrBuilder()
         Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
        .envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

      • getClearRouteCache

        boolean getClearRouteCache()
         Clears route cache in order to allow the external authorization service to correctly affect
 routing decisions. Filter clears all cached routes when:
 1. The field is set to ``true``.
 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
 3. At least one ``authorization response header`` is added to the client request, or is used for
 altering another client request header.
        bool clear_route_cache = 6;
        Returns:
        The clearRouteCache.

      • hasStatusOnError

        boolean hasStatusOnError()
         Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
        .envoy.type.v3.HttpStatus status_on_error = 7;
        Returns:
        Whether the statusOnError field is set.

      • getStatusOnError

        HttpStatus getStatusOnError()
         Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
        .envoy.type.v3.HttpStatus status_on_error = 7;
        Returns:
        The statusOnError.

      • getStatusOnErrorOrBuilder

        HttpStatusOrBuilder getStatusOnErrorOrBuilder()
         Sets the HTTP status that is returned to the client when there is a network error between the
 filter and the authorization server. The default status is HTTP 403 Forbidden.
        .envoy.type.v3.HttpStatus status_on_error = 7;

      • getMetadataContextNamespacesList

        List<String> getMetadataContextNamespacesList()
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
        repeated string metadata_context_namespaces = 8;
        Returns:
        A list containing the metadataContextNamespaces.

      • getMetadataContextNamespacesCount

        int getMetadataContextNamespacesCount()
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
        repeated string metadata_context_namespaces = 8;
        Returns:
        The count of metadataContextNamespaces.

      • getMetadataContextNamespaces

        String getMetadataContextNamespaces​(int index)
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
        repeated string metadata_context_namespaces = 8;
        Parameters:
        index - The index of the element to return.
        Returns:
        The metadataContextNamespaces at the given index.

      • getMetadataContextNamespacesBytes

        com.google.protobuf.ByteString getMetadataContextNamespacesBytes​(int index)
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
        repeated string metadata_context_namespaces = 8;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the metadataContextNamespaces at the given index.

      • getTypedMetadataContextNamespacesList

        List<String> getTypedMetadataContextNamespacesList()
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
        repeated string typed_metadata_context_namespaces = 16;
        Returns:
        A list containing the typedMetadataContextNamespaces.

      • getTypedMetadataContextNamespacesCount

        int getTypedMetadataContextNamespacesCount()
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
        repeated string typed_metadata_context_namespaces = 16;
        Returns:
        The count of typedMetadataContextNamespaces.

      • getTypedMetadataContextNamespaces

        String getTypedMetadataContextNamespaces​(int index)
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
        repeated string typed_metadata_context_namespaces = 16;
        Parameters:
        index - The index of the element to return.
        Returns:
        The typedMetadataContextNamespaces at the given index.

      • getTypedMetadataContextNamespacesBytes

        com.google.protobuf.ByteString getTypedMetadataContextNamespacesBytes​(int index)
         Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
        repeated string typed_metadata_context_namespaces = 16;
        Parameters:
        index - The index of the value to return.
        Returns:
        The bytes of the typedMetadataContextNamespaces at the given index.

      • hasFilterEnabled

        boolean hasFilterEnabled()
         Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
        .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
        Returns:
        Whether the filterEnabled field is set.

      • getFilterEnabled

        RuntimeFractionalPercent getFilterEnabled()
         Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
        .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;
        Returns:
        The filterEnabled.

      • getFilterEnabledOrBuilder

        RuntimeFractionalPercentOrBuilder getFilterEnabledOrBuilder()
         Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
        .envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

      • hasFilterEnabledMetadata

        boolean hasFilterEnabledMetadata()
         Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
        .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
        Returns:
        Whether the filterEnabledMetadata field is set.

      • getFilterEnabledMetadata

        MetadataMatcher getFilterEnabledMetadata()
         Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
        .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;
        Returns:
        The filterEnabledMetadata.

      • getFilterEnabledMetadataOrBuilder

        MetadataMatcherOrBuilder getFilterEnabledMetadataOrBuilder()
         Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
        .envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

      • hasDenyAtDisable

        boolean hasDenyAtDisable()
         Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
        .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
        Returns:
        Whether the denyAtDisable field is set.

      • getDenyAtDisable

        RuntimeFeatureFlag getDenyAtDisable()
         Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
        .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;
        Returns:
        The denyAtDisable.

      • getDenyAtDisableOrBuilder

        RuntimeFeatureFlagOrBuilder getDenyAtDisableOrBuilder()
         Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
        .envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

      • getIncludePeerCertificate

        boolean getIncludePeerCertificate()
         Specifies if the peer certificate is sent to the external service.
 When this field is true, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
        bool include_peer_certificate = 10;
        Returns:
        The includePeerCertificate.

      • getStatPrefix

        String getStatPrefix()
         Optional additional prefix to use when emitting statistics. This allows to distinguish
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:
 .. code-block:: yaml
   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
        string stat_prefix = 13;
        Returns:
        The statPrefix.

      • getStatPrefixBytes

        com.google.protobuf.ByteString getStatPrefixBytes()
         Optional additional prefix to use when emitting statistics. This allows to distinguish
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:
 .. code-block:: yaml
   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
        string stat_prefix = 13;
        Returns:
        The bytes for statPrefix.

      • getBootstrapMetadataLabelsKey

        String getBootstrapMetadataLabelsKey()
         Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
        string bootstrap_metadata_labels_key = 15;
        Returns:
        The bootstrapMetadataLabelsKey.

      • getBootstrapMetadataLabelsKeyBytes

        com.google.protobuf.ByteString getBootstrapMetadataLabelsKeyBytes()
         Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
        string bootstrap_metadata_labels_key = 15;
        Returns:
        The bytes for bootstrapMetadataLabelsKey.