You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Title: Support matching on route metadata in the HTTP RBAC filter
Description:
We have two types of routes which exist on the same routing table and want to be able to apply RBAC rules based on the route metadata to allow for fine-grained RBAC based on route type, https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-route. Currently the RBAC filter only supports matching on dynamic metadata which is added by previous filters or based on headers and while we could rewrite route metadata to dynamic metadata by using the Lua filter, we would like to avoid coupling the two filters together.
This is similar to #13269, which adds support for deriving ratelimit descriptors in the ratelimit filter from route metadata.
The approach would be:
add another field to the RBAC Principal / Permission protobufs to specify fetching the request's dynamic metadata or from the route metadata
update the MetadataMatcher to use info.route()->metadata() instead if the metadata source is set to route,
Title: Support matching on route metadata in the HTTP RBAC filter
Description:
We have two types of routes which exist on the same routing table and want to be able to apply RBAC rules based on the route metadata to allow for fine-grained RBAC based on route type, https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#config-route-v3-route. Currently the RBAC filter only supports matching on dynamic metadata which is added by previous filters or based on headers and while we could rewrite route metadata to dynamic metadata by using the Lua filter, we would like to avoid coupling the two filters together.
This is similar to #13269, which adds support for deriving ratelimit descriptors in the ratelimit filter from route metadata.
The approach would be:
add another field to the RBAC Principal / Permission protobufs to specify fetching the request's dynamic metadata or from the route metadata
update the
MetadataMatcher
to useinfo.route()->metadata()
instead if the metadata source is set toroute
,envoy/source/extensions/filters/common/rbac/matchers.cc
Line 251 in d79f6e8
We can prepare a patch for this if it sounds reasonable.
[optional Relevant Links:]
The text was updated successfully, but these errors were encountered: