authz: RBAC filter config PBs + flexibility changes#3477
authz: RBAC filter config PBs + flexibility changes#3477mattklein123 merged 3 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Chris Roche <croche@lyft.com>
| @@ -68,90 +74,70 @@ message Policy { | |||
| repeated Principal principals = 2 [(validate.rules).repeated .min_items = 1]; | |||
There was a problem hiding this comment.
It seems that there is space between "repeated" and ".min_items"? Should it be removed?
There was a problem hiding this comment.
The clang-format rules doesn't distinguish between the option name and the repeated decorator for a field. Unfortunately this has to remain but it's fortunately compatible with protoc
|
|
||
| // Source IP addresses. | ||
| IpMatch source_ips = 2; | ||
| // A set of identifiers that all must match in order to define the principal. |
There was a problem hiding this comment.
"all must match"->"at least one must match".
| // ":ref: `AttributeContext <envoy_api_msg_service.auth.v2alpha.AttributeContext>`. | ||
| // If unset, it applies to any user. | ||
| // The name of the principal. If set, the URI SAN is used from the certificate, otherwise the | ||
| // subject field is used. If unset, it applies to any user that is authenticated. |
There was a problem hiding this comment.
What is the "subject field"? Is "unset" of this field equivalent to "any" field set to "true"?
There was a problem hiding this comment.
This is the same behavior as in ext authz / AttributeContext, it uses the URI SAN if present, otherwise, it uses the subject field off the certificate.
if a principal has authenticated set with its name unset it means that the request must be authenticated, but does not care who the subject is.
| message Principal { | ||
|
|
||
| message Set { | ||
| repeated Principal ids = 1 [(validate.rules).repeated .min_items = 1]; |
There was a problem hiding this comment.
space between "repeated" and ".min_items"?
Signed-off-by: Chris Roche <croche@lyft.com>
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
LGTM, this is great, thanks. Just some small doc asks.
| repeated envoy.type.StringMatch values = 2; | ||
| } | ||
| message Set { | ||
| repeated Permission rules = 1 [(validate.rules).repeated .min_items = 1]; |
There was a problem hiding this comment.
Per offline convo can we add some more docs/explanation of what the AND/OR behavior is of this repeated lists? I think that would be helpful.
There was a problem hiding this comment.
Ah, these are just wrappers since you can't have a repeated field in a oneof. Adding a comment to specify that the application is dependent on whether it's in and_rules/ids vs or_rules/ids
There was a problem hiding this comment.
Sorry, I commented in the wrong place. :(
There was a problem hiding this comment.
(But more comments here fine too)
|
|
||
| // Optional. Custom conditions. | ||
| repeated Condition conditions = 3; | ||
| // When any is set, it matches any action. |
There was a problem hiding this comment.
On this field (and the same one on principal) can we add a bit more docs explaining the usage (effectively that it's explicit and a policy needs to have at least one permission and principal).
Signed-off-by: Chris Roche <croche@lyft.com>
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
This is awesome, just found a small typo, thanks.
| // | ||
| message RBAC { | ||
| // Should we do white-list or black-list style access control. | ||
| // Should we do white-list or black-list style access control? |
There was a problem hiding this comment.
I think you had a typo here?
There was a problem hiding this comment.
Nevermind I see you made this into a question.
Fix the description of an `RBAC` Protobuf message example, so that it matches the changes made to the YAML code block in PR envoyproxy#3477. Risk Level: Low Testing: N/A Docs Changes: N/A Release Notes: N/A Signed-off-by: Tal Nordan <tal.nordan@solo.io>
Fix the description of an `RBAC` Protobuf message example, so that it matches the changes made to the YAML code block in PR #3477. Risk Level: Low Testing: N/A Docs Changes: N/A Release Notes: N/A Signed-off-by: Tal Nordan <tal.nordan@solo.io>
3 participants
This patch splits out the proto config changes for the RBAC filter from #3455 for easier review, as well as to unblock implementors from consuming these configs ASAP. Of note, these changes make the rules for permissions/principals more explicit in terms of their application (AND vs OR) as well as permits mixing and matching different types of matchers together within those logical operators. This facilitates inflation of these rules into the matchers within the RBAC engine inside Envoy as well as affords an extra level of flexibility to defining the config. These changes are compatible with the previous definitions, if more verbose.
Risk Level: Low (unused proto changes)
Testing: N/A
Docs: N/A
Release Notes: N/A
Signed-off-by: Chris Roche croche@lyft.com