-
Notifications
You must be signed in to change notification settings - Fork 4.8k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
rbac: add rbac network filter. (#4083)
Signed-off-by: Yangmin Zhu <ymzhu@google.com>
- Loading branch information
1 parent
5a7152d
commit c283439
Showing
33 changed files
with
963 additions
and
70 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
load("//bazel:api_build_system.bzl", "api_proto_library_internal") | ||
|
||
licenses(["notice"]) # Apache 2 | ||
|
||
api_proto_library_internal( | ||
name = "rbac", | ||
srcs = ["rbac.proto"], | ||
deps = ["//envoy/config/rbac/v2alpha:rbac"], | ||
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
syntax = "proto3"; | ||
|
||
package envoy.config.filter.network.rbac.v2; | ||
option go_package = "v2"; | ||
|
||
import "envoy/config/rbac/v2alpha/rbac.proto"; | ||
|
||
import "validate/validate.proto"; | ||
import "gogoproto/gogo.proto"; | ||
|
||
// [#protodoc-title: RBAC] | ||
// Role-Based Access Control :ref:`configuration overview <config_network_filters_rbac>`. | ||
|
||
// RBAC network filter config. | ||
// | ||
// Header and Metadata should not be used in rules/shadow_rules in RBAC network filter as | ||
// this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`. | ||
message RBAC { | ||
// Specify the RBAC rules to be applied globally. | ||
// If absent, no enforcing RBAC policy will be applied. | ||
config.rbac.v2alpha.RBAC rules = 1; | ||
|
||
// Shadow rules are not enforced by the filter but will emit stats and logs | ||
// and can be used for rule testing. | ||
// If absent, no shadow RBAC policy will be applied. | ||
config.rbac.v2alpha.RBAC shadow_rules = 2; | ||
|
||
// The prefix to use when emitting statistics. | ||
string stat_prefix = 3 [(validate.rules).string.min_bytes = 1]; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -15,5 +15,6 @@ filters. | |
ext_authz_filter | ||
mongo_proxy_filter | ||
rate_limit_filter | ||
rbac_filter | ||
redis_proxy_filter | ||
tcp_proxy_filter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
.. _config_network_filters_rbac: | ||
|
||
Role Based Access Control (RBAC) Network Filter | ||
=============================================== | ||
|
||
The RBAC network filter is used to authorize actions (permissions) by identified downstream clients | ||
(principals). This is useful to explicitly manage callers to an application and protect it from | ||
unexpected or forbidden agents. The filter supports configuration with either a safe-list (ALLOW) or | ||
block-list (DENY) set of policies based on properties of the connection (IPs, ports, SSL subject). | ||
This filter also supports policy in both enforcement and shadow modes. Shadow mode won't effect real | ||
users, it is used to test that a new set of policies work before rolling out to production. | ||
|
||
* :ref:`v2 API reference <envoy_api_msg_config.filter.network.rbac.v2.RBAC>` | ||
|
||
Statistics | ||
---------- | ||
|
||
The RBAC network filter outputs statistics in the *<stat_prefix>.rbac.* namespace. | ||
|
||
.. csv-table:: | ||
:header: Name, Type, Description | ||
:widths: 1, 1, 2 | ||
|
||
allowed, Counter, Total requests that were allowed access | ||
denied, Counter, Total requests that were denied access | ||
shadow_allowed, Counter, Total requests that would be allowed access by the filter's shadow rules | ||
shadow_denied, Counter, Total requests that would be denied access by the filter's shadow rules |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,18 @@ | ||
#include "extensions/filters/common/rbac/utility.h" | ||
|
||
namespace Envoy { | ||
namespace Extensions { | ||
namespace Filters { | ||
namespace Common { | ||
namespace RBAC { | ||
|
||
RoleBasedAccessControlFilterStats generateStats(const std::string& prefix, Stats::Scope& scope) { | ||
const std::string final_prefix = prefix + "rbac."; | ||
return {ALL_RBAC_FILTER_STATS(POOL_COUNTER_PREFIX(scope, final_prefix))}; | ||
} | ||
|
||
} // namespace RBAC | ||
} // namespace Common | ||
} // namespace Filters | ||
} // namespace Extensions | ||
} // namespace Envoy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,54 @@ | ||
#pragma once | ||
|
||
#include "envoy/config/filter/http/rbac/v2/rbac.pb.h" | ||
#include "envoy/config/filter/network/rbac/v2/rbac.pb.h" | ||
#include "envoy/stats/stats_macros.h" | ||
|
||
#include "extensions/filters/common/rbac/engine_impl.h" | ||
|
||
namespace Envoy { | ||
namespace Extensions { | ||
namespace Filters { | ||
namespace Common { | ||
namespace RBAC { | ||
|
||
/** | ||
* All stats for the RBAC filter. @see stats_macros.h | ||
*/ | ||
// clang-format off | ||
#define ALL_RBAC_FILTER_STATS(COUNTER) \ | ||
COUNTER(allowed) \ | ||
COUNTER(denied) \ | ||
COUNTER(shadow_allowed) \ | ||
COUNTER(shadow_denied) | ||
// clang-format on | ||
|
||
/** | ||
* Wrapper struct for RBAC filter stats. @see stats_macros.h | ||
*/ | ||
struct RoleBasedAccessControlFilterStats { | ||
ALL_RBAC_FILTER_STATS(GENERATE_COUNTER_STRUCT) | ||
}; | ||
|
||
RoleBasedAccessControlFilterStats generateStats(const std::string& prefix, Stats::Scope& scope); | ||
|
||
enum class EnforcementMode { Enforced, Shadow }; | ||
|
||
template <class ConfigType> | ||
absl::optional<RoleBasedAccessControlEngineImpl> createEngine(const ConfigType& config) { | ||
return config.has_rules() ? absl::make_optional<RoleBasedAccessControlEngineImpl>(config.rules()) | ||
: absl::nullopt; | ||
} | ||
|
||
template <class ConfigType> | ||
absl::optional<RoleBasedAccessControlEngineImpl> createShadowEngine(const ConfigType& config) { | ||
return config.has_shadow_rules() | ||
? absl::make_optional<RoleBasedAccessControlEngineImpl>(config.shadow_rules()) | ||
: absl::nullopt; | ||
} | ||
|
||
} // namespace RBAC | ||
} // namespace Common | ||
} // namespace Filters | ||
} // namespace Extensions | ||
} // namespace Envoy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.