Skip to content
Merged
Show file tree
Hide file tree
Changes from 34 commits
Commits
Show all changes
63 commits
Select commit Hold shift + click to select a range
bf2ab82
api: add matcher for rbac
zhxie Apr 1, 2022
c848b96
rbac: reconcile matching inputs for RBAC
zhxie Apr 7, 2022
ff1b72b
rbac: add unified matcher
zhxie Apr 7, 2022
9135a9a
api: update RBAC action
zhxie Apr 8, 2022
cf89fa7
rbac: remove log ability in matcher
zhxie Apr 12, 2022
d7a6269
rbac: fix address inputs
zhxie Apr 12, 2022
96f4025
test: test matcher engine and inputs
zhxie Apr 13, 2022
b65820e
matching: extend HTTP inputs
zhxie Apr 13, 2022
979d2b6
matching: extend network inputs
zhxie Apr 13, 2022
338a1b9
rbac: support network inputs
zhxie Apr 13, 2022
cbc0b85
rbac: support HTTP inputs
zhxie Apr 13, 2022
4e4d30c
test: test matcher engine
zhxie Apr 13, 2022
0278ee2
rbac: fix wrong enforcement mode when create engines
zhxie Apr 13, 2022
4ac347e
test: test RBAC network filter
zhxie Apr 15, 2022
d29b90e
test: clean up RBAC network filter test
zhxie Apr 18, 2022
ed02a8e
test: test RBAC HTTP filter
zhxie Apr 18, 2022
a404d4d
rbac: rename validation visitor
zhxie Apr 18, 2022
b1a8b94
api: update RBAC action again
zhxie Apr 18, 2022
f421ebe
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie Apr 19, 2022
c338e22
rbac: support source type input
zhxie Apr 19, 2022
82b5f0f
rbac: fix missing request trailers support
zhxie Apr 19, 2022
029b64c
docs: update RBAC docs
zhxie Apr 19, 2022
a537d0d
rbac: revert unsupported request trailers support
zhxie Apr 19, 2022
d6e0e49
test: fix affected HTTP tests
zhxie Apr 19, 2022
1d7996a
rbac: fix potential corrupt enum
zhxie Apr 19, 2022
57b55b7
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie Apr 20, 2022
a736dde
docs: add release notes
zhxie Apr 20, 2022
599a7b1
test: test RBAC inputs
zhxie Apr 20, 2022
45f9054
api: oneof compatible
zhxie Apr 21, 2022
2883dda
api: oneof compatible
zhxie Apr 21, 2022
73fd6b5
docs: fix release notes
zhxie Apr 21, 2022
9101f17
format: fix end with new line
zhxie Apr 21, 2022
cdf18a4
api: promote oneof with udpa annotation
zhxie Apr 21, 2022
85b4a32
test: add coverage
zhxie Apr 22, 2022
8542e73
rbac: prioritize matcher
zhxie Apr 24, 2022
8e21851
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 5, 2022
4fc0b41
rbac: rename for preventing confusion
zhxie May 5, 2022
37a5f03
rbac: reuse generate log
zhxie May 5, 2022
2a6a087
rbac: fix matching data
zhxie May 5, 2022
cc882e0
rbac: make log clear
zhxie May 5, 2022
df2698e
rbac: fix generating log
zhxie May 5, 2022
acb054d
nit: update warning
zhxie May 6, 2022
c01ce6d
test: make matcher test clear
zhxie May 6, 2022
73129a4
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 6, 2022
fc86357
docs: update changelog
zhxie May 6, 2022
c29042d
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 12, 2022
c6f805b
api: update action comment
zhxie May 13, 2022
3928e84
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 17, 2022
0c6be24
nit: fix due to merge conflicts
zhxie May 17, 2022
8f93967
nit: change name
zhxie May 17, 2022
27fcb1e
nit: remove unnecessary comments
zhxie May 18, 2022
434aab9
rbac: use HTTP matching data
zhxie May 19, 2022
d22591f
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 24, 2022
af13fbf
matching: remove code changes
zhxie May 24, 2022
0fcb32a
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 25, 2022
8810f89
nit: typo
zhxie May 25, 2022
9d7ec37
docs: disambiguate RBAC matcher extensions
zhxie May 25, 2022
de7afaf
nit: update comment
zhxie May 26, 2022
0e2cda6
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie May 26, 2022
a9b189a
deps: suppress conflicting package heights
zhxie May 26, 2022
fb613e9
Merge remote-tracking branch 'envoyproxy/main' into rbac-matcher
zhxie Jun 14, 2022
2470731
changelogs: change due to merge conflicts
zhxie Jun 14, 2022
d02f5ec
rbac: support SSL inputs
zhxie Jun 14, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions api/envoy/config/rbac/v3/rbac.proto
Original file line number Diff line number Diff line change
Expand Up @@ -310,3 +310,26 @@ message Principal {
Principal not_id = 8;
}
}

// Action defines the result of allowance or denial when a request matches the matcher.
message Action {
Comment thread
zhxie marked this conversation as resolved.
// The name indicates the matcher name.
Comment thread
kyessenov marked this conversation as resolved.
Outdated
string name = 1 [(validate.rules).string = {min_len: 1}];
Comment thread
kyessenov marked this conversation as resolved.

// The action to take if the matcher matches. Every action either allows or denies a request,
// and can also carry out action-specific operations.
//
// Actions:
//
// * ALLOW: Allows the request if and only if the matcher that matches the
// request.
// * DENY: Allows the request if and only if the matcher that does not match
// the request.
// * LOG: Allows the request if and only if the matcher that matches the
Comment thread
kyessenov marked this conversation as resolved.
Outdated
// request. If the matcher matches, the dynamic metadata key
// `access_log_hint` is set to the value `true` under the shared key
// namespace 'envoy.common'. If the matcher does not match, it is set to
// `false`.
//
RBAC.Action action = 2;
}
2 changes: 2 additions & 0 deletions api/envoy/extensions/filters/http/rbac/v3/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,7 @@ api_proto_package(
deps = [
"//envoy/config/rbac/v3:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
"@com_github_cncf_udpa//xds/annotations/v3:pkg",
"@com_github_cncf_udpa//xds/type/matcher/v3:pkg",
],
)
30 changes: 28 additions & 2 deletions api/envoy/extensions/filters/http/rbac/v3/rbac.proto
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ package envoy.extensions.filters.http.rbac.v3;

import "envoy/config/rbac/v3/rbac.proto";

import "xds/annotations/v3/status.proto";
import "xds/type/matcher/v3/matcher.proto";

import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";

Expand All @@ -18,19 +22,41 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#extension: envoy.filters.http.rbac]

// RBAC filter config.
// [#next-free-field: 6]
message RBAC {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.http.rbac.v2.RBAC";

// Specify the RBAC rules to be applied globally.
// If absent, no enforcing RBAC policy will be applied.
// If present and empty, DENY.
config.rbac.v3.RBAC rules = 1;
config.rbac.v3.RBAC rules = 1
[(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];

// The match tree to use when resolving RBAC action for incoming requests. Requests do not
// match any matcher will be denied.
// If absent, no enforcing RBAC matcher will be applied.
// If present and empty, deny all requests.
// If both rules and matcher are configured, the matcher will be ignored.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we should do this the opposite way, where matcher takes precedence over old-style rules? That will provide a safe way to transition to the new field: control planes can populate both fields, and old clients will continue to use the old rules field, but newer clients will use the new matcher field.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The matching API is still unstable. In the previous work, we have added matcher for filter chain, and it is also a secondary option which is an inferior of filter chain match.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that it's not yet stable, but it's still up to the control plane as to whether or not it wants to use this unstable feature. If it doesn't want to do that, it can just not populate this field.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, I will change the behavior.

xds.type.matcher.v3.Matcher matcher = 4 [
(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier",
(xds.annotations.v3.field_status).work_in_progress = true
];

// Shadow rules are not enforced by the filter (i.e., returning a 403)
// but will emit stats and logs and can be used for rule testing.
// If absent, no shadow RBAC policy will be applied.
config.rbac.v3.RBAC shadow_rules = 2;
config.rbac.v3.RBAC shadow_rules = 2
[(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"];

// The match tree to use for emitting stats and logs which can be used for rule testing for
// incoming requests.
// If absent, no shadow matcher will be applied.
// If both shadow rules and shadow matcher are configured, the shadow matcher will be ignored.
xds.type.matcher.v3.Matcher shadow_matcher = 5 [
Comment thread
kyessenov marked this conversation as resolved.
(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier",
(xds.annotations.v3.field_status).work_in_progress = true
];

// If specified, shadow rules will emit stats with the given prefix.
// This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
Expand Down
2 changes: 2 additions & 0 deletions api/envoy/extensions/filters/network/rbac/v3/BUILD
Original file line number Diff line number Diff line change
Expand Up @@ -8,5 +8,7 @@ api_proto_package(
deps = [
"//envoy/config/rbac/v3:pkg",
"@com_github_cncf_udpa//udpa/annotations:pkg",
"@com_github_cncf_udpa//xds/annotations/v3:pkg",
"@com_github_cncf_udpa//xds/type/matcher/v3:pkg",
],
)
31 changes: 28 additions & 3 deletions api/envoy/extensions/filters/network/rbac/v3/rbac.proto
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,10 @@ package envoy.extensions.filters.network.rbac.v3;

import "envoy/config/rbac/v3/rbac.proto";

import "xds/annotations/v3/status.proto";
import "xds/type/matcher/v3/matcher.proto";

import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
Expand All @@ -22,7 +26,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
//
// Header should not be used in rules/shadow_rules in RBAC network filter as
// this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`.
// [#next-free-field: 6]
// [#next-free-field: 8]
message RBAC {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.network.rbac.v2.RBAC";
Expand All @@ -41,12 +45,33 @@ message RBAC {
// Specify the RBAC rules to be applied globally.
// If absent, no enforcing RBAC policy will be applied.
// If present and empty, DENY.
config.rbac.v3.RBAC rules = 1;
config.rbac.v3.RBAC rules = 1
[(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];

// The match tree to use when resolving RBAC action for incoming connections. Connections do
// not match any matcher will be denied.
// If absent, no enforcing RBAC matcher will be applied.
// If present and empty, deny all connections.
// If both rules and matcher are configured, the matcher will be ignored.
xds.type.matcher.v3.Matcher matcher = 6 [
(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier",
(xds.annotations.v3.field_status).work_in_progress = true
];

// Shadow rules are not enforced by the filter but will emit stats and logs
// and can be used for rule testing.
// If absent, no shadow RBAC policy will be applied.
config.rbac.v3.RBAC shadow_rules = 2;
config.rbac.v3.RBAC shadow_rules = 2
[(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"];

// The match tree to use for emitting stats and logs which can be used for rule testing for
// incoming connections.
// If absent, no shadow matcher will be applied.
// If both shadow rules and shadow matcher are configured, the shadow matcher will be ignored.
xds.type.matcher.v3.Matcher shadow_matcher = 7 [
(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier",
(xds.annotations.v3.field_status).work_in_progress = true
];

// If specified, shadow rules will emit stats with the given prefix.
// This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
Expand Down
8 changes: 4 additions & 4 deletions docs/root/configuration/http/http_filters/rbac_filter.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@
Role Based Access Control (RBAC) Filter
=======================================

The RBAC filter is used to authorize actions (permissions) by identified downstream clients
(principals). This is useful to explicitly manage callers to an application and protect it from
unexpected or forbidden agents. The filter supports configuration with either a safe-list (ALLOW) or
block-list (DENY) set of policies based off properties of the connection (IPs, ports, SSL subject)
The RBAC filter is used to authorize actions by identified downstream clients. This is useful to
explicitly manage callers to an application and protect it from unexpected or forbidden agents. The
filter supports configuration with either a safe-list (ALLOW) or block-list (DENY) set of policies,
or a matcher with different actions, based off properties of the connection (IPs, ports, SSL subject)
Comment thread
kyessenov marked this conversation as resolved.
as well as the incoming request's HTTP headers. This filter also supports policy in both enforcement
and shadow mode, shadow mode won't effect real users, it is used to test that a new set of policies
work before rolling out to production.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,10 @@
Role Based Access Control (RBAC) Network Filter
===============================================

The RBAC network filter is used to authorize actions (permissions) by identified downstream clients
(principals). This is useful to explicitly manage callers to an application and protect it from
unexpected or forbidden agents. The filter supports configuration with either a safe-list (ALLOW) or
block-list (DENY) set of policies based on properties of the connection (IPs, ports, SSL subject).
The RBAC network filter is used to authorize actions by identified downstream clients. This is useful
to explicitly manage callers to an application and protect it from unexpected or forbidden agents.
The filter supports configuration with either a safe-list (ALLOW) or block-list (DENY) set of policies,
or a matcher with different actions, based on properties of the connection (IPs, ports, SSL subject).
This filter also supports policy in both enforcement and shadow modes. Shadow mode won't effect real
users, it is used to test that a new set of policies work before rolling out to production.

Expand Down
27 changes: 22 additions & 5 deletions docs/root/intro/arch_overview/security/rbac_filter.rst
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ or as a :ref:`HTTP filter <config_http_filters_rbac>` or both. If the request is
by the network filter then the connection will be closed. If the request is deemed unauthorized by
the HTTP filter the request will be denied with 403 (Forbidden) response.

The RBAC filter's rules can be either configured with a list of
:ref:`policies <envoy_v3_api_field_config.rbac.v3.RBAC.policies>` or the
:ref:`matching API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>`.

Policy
------

Expand All @@ -26,13 +30,26 @@ the request, for example, the method and path of a HTTP request. The principal s
downstream client identities of the request, for example, the URI SAN of the downstream client
certificate. A policy is matched if its permissions and principals are matched at the same time.

Shadow Policy
-------------
.. _arch_overview_rbac_matcher:

Matcher
-------
Instead of specifying :ref:`policies <envoy_v3_api_field_config.rbac.v3.RBAC.policies>`, the RBAC
filter can also be configured with the :ref:`matching API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>`.
:ref:`Network inputs <extension_category_envoy.matching.network.input>` are available for both RBAC
network filter and HTTP filter, and :ref:`HTTP inputs <extension_category_envoy.matching.http.input>`
are only available in HTTP filter.

RBAC matchers are not compatible with the :ref:`matching API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>`.
Comment thread
kyessenov marked this conversation as resolved.
Outdated

Shadow Policy and Shadow Matcher
--------------------------------

The filter can be configured with a
:ref:`shadow policy <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules>` that doesn't
have any effect (i.e. not deny the request) but only emit stats and log the result. This is useful
for testing a rule before applying in production.
:ref:`shadow policy <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules>` or a
:ref:`shadow matcher <envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_matcher>` that
doesn't have any effect (i.e. not deny the request) but only emit stats and log the result. This is
useful for testing a rule before applying in production.

.. _arch_overview_condition:

Expand Down
1 change: 1 addition & 0 deletions docs/root/version_history/current.rst
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ Removed Config or Runtime
New Features
------------
* ext_proc: added support for per-route :ref:`grpc_service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExtProcOverrides.grpc_service>`.
* rbac: added :ref:`matcher <arch_overview_rbac_matcher>` for selecting connections and requests to different actions.

Deprecated
----------
10 changes: 10 additions & 0 deletions source/common/http/matching/inputs.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,20 @@
namespace Envoy {
namespace Http {
namespace Matching {

using HttpRequestHeadersDataInputFactory = HttpRequestHeadersDataInputFactoryBase<HttpMatchingData>;
using HttpResponseHeadersDataInputFactory =
HttpResponseHeadersDataInputFactoryBase<HttpMatchingData>;
using HttpRequestTrailersDataInputFactory =
HttpRequestTrailersDataInputFactoryBase<HttpMatchingData>;
using HttpResponseTrailersDataInputFactory =
HttpResponseTrailersDataInputFactoryBase<HttpMatchingData>;

REGISTER_FACTORY(HttpRequestHeadersDataInputFactory, Matcher::DataInputFactory<HttpMatchingData>);
REGISTER_FACTORY(HttpResponseHeadersDataInputFactory, Matcher::DataInputFactory<HttpMatchingData>);
REGISTER_FACTORY(HttpRequestTrailersDataInputFactory, Matcher::DataInputFactory<HttpMatchingData>);
REGISTER_FACTORY(HttpResponseTrailersDataInputFactory, Matcher::DataInputFactory<HttpMatchingData>);

} // namespace Matching
} // namespace Http
} // namespace Envoy
Loading