-
Notifications
You must be signed in to change notification settings - Fork 5.5k
rbac: add metadata support to rbac filter #3638
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from 3 commits
91c2423
75fcb1f
5d009dc
4301c1d
5d4e01d
530dedd
a9467d4
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| load("//bazel:api_build_system.bzl", "api_go_proto_library", "api_proto_library") | ||
|
|
||
| licenses(["notice"]) # Apache 2 | ||
|
|
||
| api_proto_library( | ||
| name = "metadata", | ||
| srcs = ["metadata.proto"], | ||
| visibility = ["//visibility:public"], | ||
| deps = [ | ||
| ":number", | ||
| ":string", | ||
| ], | ||
| ) | ||
|
|
||
| api_go_proto_library( | ||
| name = "metadata", | ||
| proto = ":metadata", | ||
| deps = [ | ||
| ":number_go_proto", | ||
| ":string_go_proto", | ||
| ], | ||
| ) | ||
|
|
||
| api_proto_library( | ||
| name = "number", | ||
| srcs = ["number.proto"], | ||
| visibility = ["//visibility:public"], | ||
| deps = [ | ||
| "//envoy/type:range", | ||
| ], | ||
| ) | ||
|
|
||
| api_go_proto_library( | ||
| name = "number", | ||
| proto = ":number", | ||
| deps = [ | ||
| "//envoy/type:range_go_proto", | ||
| ], | ||
| ) | ||
|
|
||
| api_proto_library( | ||
| name = "string", | ||
| srcs = ["string.proto"], | ||
| visibility = ["//visibility:public"], | ||
| ) | ||
|
|
||
| api_go_proto_library( | ||
| name = "string", | ||
| proto = ":string", | ||
| ) |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,59 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.type.matchers; | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done |
||
| option go_package = "matchers"; | ||
|
|
||
| import "envoy/type/matchers/string.proto"; | ||
| import "envoy/type/matchers/number.proto"; | ||
|
|
||
| import "validate/validate.proto"; | ||
|
|
||
| // [#protodoc-title: MetadataMatcher] | ||
|
|
||
| // MetadataMatcher provides a general interface to check if a given value is matched in | ||
| // :ref:`Metadata <envoy_api_msg_core.Metadata>`. It uses `filter` and `path` to retrieve the value | ||
| // from the Metadata and then check if it's matched to one of the specified values. | ||
| // | ||
| // An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to | ||
| // enforce access control based on dynamic metadata in a request. | ||
| message MetadataMatcher { | ||
| // Specifies the value to match. Only primitive value is supported. For non-primitive value, the | ||
| // result is always not matched. | ||
| message Value { | ||
| // Specifies how to match a value. Only have effect on primitive value. | ||
| oneof match_pattern { | ||
| option (validate.required) = true; | ||
|
|
||
| // If specified, it's matched if and only if the target value is a NullValue and this field is | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. what is the use case of setting null_match to
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not too much real use case, I make it a
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I would prefer using a empty message, like here:
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Done. |
||
| // also set to true. | ||
| bool null_match = 1; | ||
|
|
||
| // If specified, it's matched if and only if the target value is a double value and is matched | ||
| // to this field. | ||
| DoubleMatcher double_match = 2; | ||
|
|
||
| // If specified, it's matched if and only if the target value is a string value and is matched | ||
| // to this field. | ||
| StringMatcher string_match = 3; | ||
|
|
||
| // If specified, it's matched if and only if the target value is a bool value and is equal to | ||
| // this field. | ||
| bool bool_match = 4; | ||
|
|
||
| // If specified, value match will be performed based on whether the path is referring to a | ||
| // valid primitive value in the metadata. If the path is referring to a non-primitive value, | ||
| // the result is always not matched. | ||
| bool present_match = 7; | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. nit: 5 |
||
| } | ||
| } | ||
|
|
||
| // Required. The filter name to retrieve the Struct from the Metadata. | ||
| string filter = 1 [(validate.rules).string.min_bytes = 1]; | ||
|
|
||
| // Required. The multi-key path to retrieve the Value from the Struct. | ||
| repeated string path = 2 [(validate.rules).repeated .min_items = 1]; | ||
|
Member
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it is unclear to me how this works for array, notes?
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Added comment, it's actually not supported and will just result a not match. |
||
|
|
||
| // Required. A set of values to match. The MetadataMatcher is matched if at least one value is | ||
| // matched, in other words, it's matched with OR semantics. | ||
| repeated Value values = 3 [(validate.rules).repeated .min_items = 1]; | ||
| } | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.type.matchers; | ||
| option go_package = "matchers"; | ||
|
|
||
| import "envoy/type/range.proto"; | ||
|
|
||
| import "validate/validate.proto"; | ||
|
|
||
| // [#protodoc-title: NumberMatcher] | ||
|
|
||
| // Specifies the way to match a double value. | ||
| message DoubleMatcher { | ||
| oneof match_pattern { | ||
| option (validate.required) = true; | ||
|
|
||
| // If specified, the input double value must be in the range specified here. | ||
| envoy.type.DoubleRange range = 1; | ||
|
|
||
| // If specified, the input double value must be equal to the value specified here. | ||
| double exact = 2; | ||
| } | ||
| } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,49 @@ | ||
| syntax = "proto3"; | ||
|
|
||
| package envoy.type.matchers; | ||
| option go_package = "matchers"; | ||
|
|
||
| import "validate/validate.proto"; | ||
|
|
||
| // [#protodoc-title: StringMatcher] | ||
|
|
||
| // Specifies the way to match a string. | ||
| message StringMatcher { | ||
| oneof match_pattern { | ||
| option (validate.required) = true; | ||
|
|
||
| // The input string must match exactly the string specified here. | ||
| // | ||
| // Examples: | ||
| // | ||
| // * *abc* only matches the value *abc*. | ||
| string exact = 1; | ||
|
|
||
| // The input string must have the prefix specified here. | ||
| // Note: empty prefix is not allowed, please use regex instead. | ||
| // | ||
| // Examples: | ||
| // | ||
| // * *abc* matches the value *abc.xyz* | ||
| string prefix = 2 [(validate.rules).string.min_bytes = 1]; | ||
|
|
||
| // The input string must have the suffix specified here. | ||
| // Note: empty prefix is not allowed, please use regex instead. | ||
| // | ||
| // Examples: | ||
| // | ||
| // * *abc* matches the value *xyz.abc* | ||
| string suffix = 3 [(validate.rules).string.min_bytes = 1]; | ||
|
|
||
| // The input string must match the regular expression specified here. | ||
| // The regex grammar is defined `here | ||
| // <http://en.cppreference.com/w/cpp/regex/ecmascript>`_. | ||
| // | ||
| // Examples: | ||
| // | ||
| // * The regex *\d{3}* matches the value *123* | ||
| // * The regex *\d{3}* does not match the value *1234* | ||
| // * The regex *\d{3}* does not match the value *123.456* | ||
| string regex = 4; | ||
| } | ||
| } |
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: s/A metadata/Metadata. Same below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done