Role Based Access Control (RBAC)¶
config.rbac.v2alpha.RBAC¶
[config.rbac.v2alpha.RBAC proto]
Role Based Access Control (RBAC) provides service-level and method-level access control for a service. RBAC policies are additive. The policies are examined in order. A request is allowed once a matching policy is found (suppose the action is ALLOW).
Here is an example of RBAC configuration. It has two policies:
- Service account “cluster.local/ns/default/sa/admin” has full access (empty permission entry means full access) to the service.
- Any user (empty principal entry means any user) can read (“GET”) the service at paths with prefix “/products” or suffix “/reviews” when request header “version” set to either “v1” or “v2”.
action: ALLOW policies: "service-admin": permissions: - any: true principals: - authenticated: { name: "cluster.local/ns/default/sa/admin" } - authenticated: { name: "cluster.local/ns/default/sa/superuser" } "product-viewer": permissions: - and_rules: rules: - header: { name: ":method", exact_match: "GET" } - header: { name: ":path", regex_match: "/products(/.*)?" } - or_rules: rules: - destination_port: 80 - destination_port: 443 principals: - any: true
{
"action": "...",
"policies": "{...}"
}
- action
(config.rbac.v2alpha.RBAC.Action) The action to take if a policy matches. The request is allowed if and only if:
- action is “ALLOWED” and at least one policy matches
- action is “DENY” and none of the policies match
- policies
- (map<string, config.rbac.v2alpha.Policy>) Maps from policy name to policy. A match occurs when at least one policy matches the request.
Enum config.rbac.v2alpha.RBAC.Action¶
[config.rbac.v2alpha.RBAC.Action proto]
Should we do safe-list or block-list style access control?
- ALLOW
- (DEFAULT) The policies grant access to principals. The rest is denied. This is safe-list style access control. This is the default type.
- DENY
- The policies deny access to principals. The rest is allowed. This is block-list style access control.
config.rbac.v2alpha.Policy¶
[config.rbac.v2alpha.Policy proto]
Policy specifies a role and the principals that are assigned/denied the role. A policy matches if and only if at least one of its permissions match the action taking place AND at least one of its principals match the downstream.
{
"permissions": [],
"principals": []
}
- permissions
- (config.rbac.v2alpha.Permission, REQUIRED) Required. The set of permissions that define a role. Each permission is matched with OR semantics. To match all actions for this policy, a single Permission with the any field set to true should be used.
- principals
- (config.rbac.v2alpha.Principal, REQUIRED) Required. The set of principals that are assigned/denied the role based on “action”. Each principal is matched with OR semantics. To match all downstreams for this policy, a single Principal with the any field set to true should be used.
config.rbac.v2alpha.Permission¶
[config.rbac.v2alpha.Permission proto]
Permission defines an action (or actions) that a principal can take.
{
"and_rules": "{...}",
"or_rules": "{...}",
"any": "...",
"header": "{...}",
"destination_ip": "{...}",
"destination_port": "..."
}
- and_rules
(config.rbac.v2alpha.Permission.Set) A set of rules that all must match in order to define the action.
Precisely one of and_rules, or_rules, any, header, destination_ip, destination_port must be set.
- or_rules
(config.rbac.v2alpha.Permission.Set) A set of rules where at least one must match in order to define the action.
Precisely one of and_rules, or_rules, any, header, destination_ip, destination_port must be set.
- any
(bool) When any is set, it matches any action.
Precisely one of and_rules, or_rules, any, header, destination_ip, destination_port must be set.
- header
(route.HeaderMatcher) A header (or psuedo-header such as :path or :method) on the incoming HTTP request.
Precisely one of and_rules, or_rules, any, header, destination_ip, destination_port must be set.
- destination_ip
(core.CidrRange) A CIDR block that describes the destination IP.
Precisely one of and_rules, or_rules, any, header, destination_ip, destination_port must be set.
- destination_port
(uint32) A port number that describes the destination port connecting to.
Precisely one of and_rules, or_rules, any, header, destination_ip, destination_port must be set.
config.rbac.v2alpha.Permission.Set¶
[config.rbac.v2alpha.Permission.Set proto]
Used in the and_rules and or_rules fields in the rule oneof. Depending on the context, each are applied with the associated behavior.
{
"rules": []
}
- rules
- (config.rbac.v2alpha.Permission, REQUIRED)
config.rbac.v2alpha.Principal¶
[config.rbac.v2alpha.Principal proto]
Principal defines an identity or a group of identities for a downstream subject.
{
"and_ids": "{...}",
"or_ids": "{...}",
"any": "...",
"authenticated": "{...}",
"source_ip": "{...}",
"header": "{...}"
}
- and_ids
(config.rbac.v2alpha.Principal.Set) A set of identifiers that all must match in order to define the downstream.
Precisely one of and_ids, or_ids, any, authenticated, source_ip, header must be set.
- or_ids
(config.rbac.v2alpha.Principal.Set) A set of identifiers at least one must match in order to define the downstream.
Precisely one of and_ids, or_ids, any, authenticated, source_ip, header must be set.
- any
(bool) When any is set, it matches any downstream.
Precisely one of and_ids, or_ids, any, authenticated, source_ip, header must be set.
- authenticated
(config.rbac.v2alpha.Principal.Authenticated) Authenticated attributes that identify the downstream.
Precisely one of and_ids, or_ids, any, authenticated, source_ip, header must be set.
- source_ip
(core.CidrRange) A CIDR block that describes the downstream IP.
Precisely one of and_ids, or_ids, any, authenticated, source_ip, header must be set.
- header
(route.HeaderMatcher) A header (or psuedo-header such as :path or :method) on the incoming HTTP request.
Precisely one of and_ids, or_ids, any, authenticated, source_ip, header must be set.
config.rbac.v2alpha.Principal.Set¶
[config.rbac.v2alpha.Principal.Set proto]
Used in the and_ids and or_ids fields in the identifier oneof. Depending on the context, each are applied with the associated behavior.
{
"ids": []
}
- ids
- (config.rbac.v2alpha.Principal, REQUIRED)
config.rbac.v2alpha.Principal.Authenticated¶
[config.rbac.v2alpha.Principal.Authenticated proto]
Authentication attributes for a downstream.
{
"name": "..."
}
- name
- (string) The name of the principal. If set, the URI SAN is used from the certificate, otherwise the subject field is used. If unset, it applies to any user that is authenticated.