1syntax = "proto3"; 2 3package envoy.extensions.filters.http.rbac.v3; 4 5import "envoy/config/rbac/v3/rbac.proto"; 6 7import "xds/annotations/v3/status.proto"; 8import "xds/type/matcher/v3/matcher.proto"; 9 10import "udpa/annotations/migrate.proto"; 11import "udpa/annotations/status.proto"; 12import "udpa/annotations/versioning.proto"; 13 14option java_package = "io.envoyproxy.envoy.extensions.filters.http.rbac.v3"; 15option java_outer_classname = "RbacProto"; 16option java_multiple_files = true; 17option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3;rbacv3"; 18option (udpa.annotations.file_status).package_version_status = ACTIVE; 19 20// [#protodoc-title: RBAC] 21// Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`. 22// [#extension: envoy.filters.http.rbac] 23 24// RBAC filter config. 25// [#next-free-field: 6] 26message RBAC { 27 option (udpa.annotations.versioning).previous_message_type = 28 "envoy.config.filter.http.rbac.v2.RBAC"; 29 30 // Specify the RBAC rules to be applied globally. 31 // If absent, no enforcing RBAC policy will be applied. 32 // If present and empty, DENY. 33 // If both rules and matcher are configured, rules will be ignored. 34 config.rbac.v3.RBAC rules = 1 35 [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; 36 37 // The match tree to use when resolving RBAC action for incoming requests. Requests do not 38 // match any matcher will be denied. 39 // If absent, no enforcing RBAC matcher will be applied. 40 // If present and empty, deny all requests. 41 xds.type.matcher.v3.Matcher matcher = 4 [ 42 (udpa.annotations.field_migrate).oneof_promotion = "rules_specifier", 43 (xds.annotations.v3.field_status).work_in_progress = true 44 ]; 45 46 // Shadow rules are not enforced by the filter (i.e., returning a 403) 47 // but will emit stats and logs and can be used for rule testing. 48 // If absent, no shadow RBAC policy will be applied. 49 // If both shadow rules and shadow matcher are configured, shadow rules will be ignored. 50 config.rbac.v3.RBAC shadow_rules = 2 51 [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; 52 53 // The match tree to use for emitting stats and logs which can be used for rule testing for 54 // incoming requests. 55 // If absent, no shadow matcher will be applied. 56 xds.type.matcher.v3.Matcher shadow_matcher = 5 [ 57 (udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier", 58 (xds.annotations.v3.field_status).work_in_progress = true 59 ]; 60 61 // If specified, shadow rules will emit stats with the given prefix. 62 // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with 63 // shadow rules. 64 string shadow_rules_stat_prefix = 3; 65} 66 67message RBACPerRoute { 68 option (udpa.annotations.versioning).previous_message_type = 69 "envoy.config.filter.http.rbac.v2.RBACPerRoute"; 70 71 reserved 1; 72 73 // Override the global configuration of the filter with this new config. 74 // If absent, the global RBAC policy will be disabled for this route. 75 RBAC rbac = 2; 76} 77