Class RBAC

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, java.io.Serializable

    public final class RBAC
    extends com.google.protobuf.GeneratedMessage
    implements RBACOrBuilder
     Role Based Access Control (RBAC) provides service-level and method-level access control for a
     service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
     found. For instance, if the action is ALLOW and a matching policy is found the request should be
     allowed.
    
     RBAC can also be used to make access logging decisions by communicating with access loggers
     through dynamic metadata. When the action is LOG and at least one policy matches, the
     ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
     the request should be logged.
    
     Here is an example of RBAC configuration. It has two policies:
    
     * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
     does "cluster.local/ns/default/sa/superuser".
    
     * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
     destination port is either 80 or 443.
    
     .. code-block:: yaml
    
     action: ALLOW
     policies:
     "service-admin":
     permissions:
     - any: true
     principals:
     - authenticated:
     principal_name:
     exact: "cluster.local/ns/default/sa/admin"
     - authenticated:
     principal_name:
     exact: "cluster.local/ns/default/sa/superuser"
     "product-viewer":
     permissions:
     - and_rules:
     rules:
     - header:
     name: ":method"
     string_match:
     exact: "GET"
     - url_path:
     path: { prefix: "/products" }
     - or_rules:
     rules:
     - destination_port: 80
     - destination_port: 443
     principals:
     - any: true
     
    Protobuf type envoy.config.rbac.v3.RBAC
    See Also:
    Serialized Form
    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description
      static class  RBAC.Action
      Should we do safe-list or block-list style access control?
      static class  RBAC.AuditLoggingOptions
      Protobuf type envoy.config.rbac.v3.RBAC.AuditLoggingOptions
      static interface  RBAC.AuditLoggingOptionsOrBuilder  
      static class  RBAC.Builder
      Role Based Access Control (RBAC) provides service-level and method-level access control for a service.
      private static class  RBAC.PoliciesDefaultEntryHolder  
      • Nested classes/interfaces inherited from class com.google.protobuf.GeneratedMessage

        com.google.protobuf.GeneratedMessage.ExtendableBuilder<MessageT extends com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>,​BuilderT extends com.google.protobuf.GeneratedMessage.ExtendableBuilder<MessageT,​BuilderT>>, com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT extends com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessage.ExtendableMessageOrBuilder<MessageT extends com.google.protobuf.GeneratedMessage.ExtendableMessage<MessageT>>, com.google.protobuf.GeneratedMessage.FieldAccessorTable, com.google.protobuf.GeneratedMessage.GeneratedExtension<ContainingT extends com.google.protobuf.Message,​T extends java.lang.Object>, com.google.protobuf.GeneratedMessage.UnusedPrivateParameter
      • Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessage

        com.google.protobuf.AbstractMessage.BuilderParent
      • Nested classes/interfaces inherited from class com.google.protobuf.AbstractMessageLite

        com.google.protobuf.AbstractMessageLite.InternalOneOfEnum
    • Constructor Summary

      Constructors 
      Modifier Constructor Description
      private RBAC()  
      private RBAC​(com.google.protobuf.GeneratedMessage.Builder<?> builder)  
    • Method Summary

      All Methods Static Methods Instance Methods Concrete Methods Deprecated Methods 
      Modifier and Type Method Description
      boolean containsPolicies​(java.lang.String key)
      Maps from policy name to policy.
      boolean equals​(java.lang.Object obj)  
      RBAC.Action getAction()
      The action to take if a policy matches.
      int getActionValue()
      The action to take if a policy matches.
      RBAC.AuditLoggingOptions getAuditLoggingOptions()
      Audit logging options that include the condition for audit logging to happen and audit logger configurations.
      RBAC.AuditLoggingOptionsOrBuilder getAuditLoggingOptionsOrBuilder()
      Audit logging options that include the condition for audit logging to happen and audit logger configurations.
      static RBAC getDefaultInstance()  
      RBAC getDefaultInstanceForType()  
      static com.google.protobuf.Descriptors.Descriptor getDescriptor()  
      com.google.protobuf.Parser<RBAC> getParserForType()  
      java.util.Map<java.lang.String,​Policy> getPolicies()
      Deprecated.
      int getPoliciesCount()
      Maps from policy name to policy.
      java.util.Map<java.lang.String,​Policy> getPoliciesMap()
      Maps from policy name to policy.
      Policy getPoliciesOrDefault​(java.lang.String key, Policy defaultValue)
      Maps from policy name to policy.
      Policy getPoliciesOrThrow​(java.lang.String key)
      Maps from policy name to policy.
      int getSerializedSize()  
      boolean hasAuditLoggingOptions()
      Audit logging options that include the condition for audit logging to happen and audit logger configurations.
      int hashCode()  
      protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()  
      protected com.google.protobuf.MapFieldReflectionAccessor internalGetMapFieldReflection​(int number)  
      private com.google.protobuf.MapField<java.lang.String,​Policy> internalGetPolicies()  
      boolean isInitialized()  
      static RBAC.Builder newBuilder()  
      static RBAC.Builder newBuilder​(RBAC prototype)  
      RBAC.Builder newBuilderForType()  
      protected RBAC.Builder newBuilderForType​(com.google.protobuf.AbstractMessage.BuilderParent parent)  
      static RBAC parseDelimitedFrom​(java.io.InputStream input)  
      static RBAC parseDelimitedFrom​(java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static RBAC parseFrom​(byte[] data)  
      static RBAC parseFrom​(byte[] data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static RBAC parseFrom​(com.google.protobuf.ByteString data)  
      static RBAC parseFrom​(com.google.protobuf.ByteString data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static RBAC parseFrom​(com.google.protobuf.CodedInputStream input)  
      static RBAC parseFrom​(com.google.protobuf.CodedInputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static RBAC parseFrom​(java.io.InputStream input)  
      static RBAC parseFrom​(java.io.InputStream input, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static RBAC parseFrom​(java.nio.ByteBuffer data)  
      static RBAC parseFrom​(java.nio.ByteBuffer data, com.google.protobuf.ExtensionRegistryLite extensionRegistry)  
      static com.google.protobuf.Parser<RBAC> parser()  
      RBAC.Builder toBuilder()  
      void writeTo​(com.google.protobuf.CodedOutputStream output)  
      • Methods inherited from class com.google.protobuf.GeneratedMessage

        canUseUnsafe, computeStringSize, computeStringSizeNoTag, emptyBooleanList, emptyDoubleList, emptyFloatList, emptyIntList, emptyList, emptyLongList, getAllFields, getDescriptorForType, getField, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof, internalGetMapField, isStringEmpty, makeMutableCopy, makeMutableCopy, mergeFromAndMakeImmutableInternal, newFileScopedGeneratedExtension, newInstance, newMessageScopedGeneratedExtension, parseDelimitedWithIOException, parseDelimitedWithIOException, parseUnknownField, parseUnknownFieldProto3, parseWithIOException, parseWithIOException, parseWithIOException, parseWithIOException, serializeBooleanMapTo, serializeIntegerMapTo, serializeLongMapTo, serializeStringMapTo, writeReplace, writeString, writeStringNoTag
      • Methods inherited from class com.google.protobuf.AbstractMessage

        findInitializationErrors, getInitializationErrorString, hashFields, toString
      • Methods inherited from class com.google.protobuf.AbstractMessageLite

        addAll, checkByteStringIsUtf8, toByteArray, toByteString, writeDelimitedTo, writeTo
      • Methods inherited from class java.lang.Object

        clone, finalize, getClass, notify, notifyAll, wait, wait, wait
      • Methods inherited from interface com.google.protobuf.MessageLite

        toByteArray, toByteString, writeDelimitedTo, writeTo
      • Methods inherited from interface com.google.protobuf.MessageOrBuilder

        findInitializationErrors, getAllFields, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof
    • Field Detail

      • bitField0_

        private int bitField0_
      • action_

        private int action_
      • policies_

        private com.google.protobuf.MapField<java.lang.String,​Policy> policies_
      • AUDIT_LOGGING_OPTIONS_FIELD_NUMBER

        public static final int AUDIT_LOGGING_OPTIONS_FIELD_NUMBER
        See Also:
        Constant Field Values
      • memoizedIsInitialized

        private byte memoizedIsInitialized
      • DEFAULT_INSTANCE

        private static final RBAC DEFAULT_INSTANCE
      • PARSER

        private static final com.google.protobuf.Parser<RBAC> PARSER
    • Constructor Detail

      • RBAC

        private RBAC​(com.google.protobuf.GeneratedMessage.Builder<?> builder)
      • RBAC

        private RBAC()
    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
      • internalGetMapFieldReflection

        protected com.google.protobuf.MapFieldReflectionAccessor internalGetMapFieldReflection​(int number)
        Overrides:
        internalGetMapFieldReflection in class com.google.protobuf.GeneratedMessage
      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage
      • getActionValue

        public int getActionValue()
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getActionValue in interface RBACOrBuilder
        Returns:
        The enum numeric value on the wire for action.
      • getAction

        public RBAC.Action getAction()
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getAction in interface RBACOrBuilder
        Returns:
        The action.
      • internalGetPolicies

        private com.google.protobuf.MapField<java.lang.String,​Policy> internalGetPolicies()
      • getPoliciesCount

        public int getPoliciesCount()
        Description copied from interface: RBACOrBuilder
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesCount in interface RBACOrBuilder
      • containsPolicies

        public boolean containsPolicies​(java.lang.String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        containsPolicies in interface RBACOrBuilder
      • getPoliciesMap

        public java.util.Map<java.lang.String,​Policy> getPoliciesMap()
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesMap in interface RBACOrBuilder
      • getPoliciesOrDefault

        public Policy getPoliciesOrDefault​(java.lang.String key,
                                           Policy defaultValue)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrDefault in interface RBACOrBuilder
      • getPoliciesOrThrow

        public Policy getPoliciesOrThrow​(java.lang.String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrThrow in interface RBACOrBuilder
      • hasAuditLoggingOptions

        public boolean hasAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        hasAuditLoggingOptions in interface RBACOrBuilder
        Returns:
        Whether the auditLoggingOptions field is set.
      • getAuditLoggingOptions

        public RBAC.AuditLoggingOptions getAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        getAuditLoggingOptions in interface RBACOrBuilder
        Returns:
        The auditLoggingOptions.
      • getAuditLoggingOptionsOrBuilder

        public RBAC.AuditLoggingOptionsOrBuilder getAuditLoggingOptionsOrBuilder()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        getAuditLoggingOptionsOrBuilder in interface RBACOrBuilder
      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessage
      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
                     throws java.io.IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessage
        Throws:
        java.io.IOException
      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessage
      • equals

        public boolean equals​(java.lang.Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage
      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage
      • parseFrom

        public static RBAC parseFrom​(java.nio.ByteBuffer data)
                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException
      • parseFrom

        public static RBAC parseFrom​(java.nio.ByteBuffer data,
                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException
      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.ByteString data)
                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException
      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.ByteString data,
                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException
      • parseFrom

        public static RBAC parseFrom​(byte[] data)
                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException
      • parseFrom

        public static RBAC parseFrom​(byte[] data,
                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException
      • parseFrom

        public static RBAC parseFrom​(java.io.InputStream input)
                              throws java.io.IOException
        Throws:
        java.io.IOException
      • parseFrom

        public static RBAC parseFrom​(java.io.InputStream input,
                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                              throws java.io.IOException
        Throws:
        java.io.IOException
      • parseDelimitedFrom

        public static RBAC parseDelimitedFrom​(java.io.InputStream input)
                                       throws java.io.IOException
        Throws:
        java.io.IOException
      • parseDelimitedFrom

        public static RBAC parseDelimitedFrom​(java.io.InputStream input,
                                              com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                       throws java.io.IOException
        Throws:
        java.io.IOException
      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.CodedInputStream input)
                              throws java.io.IOException
        Throws:
        java.io.IOException
      • parseFrom

        public static RBAC parseFrom​(com.google.protobuf.CodedInputStream input,
                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                              throws java.io.IOException
        Throws:
        java.io.IOException
      • newBuilderForType

        public RBAC.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite
      • toBuilder

        public RBAC.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite
      • newBuilderForType

        protected RBAC.Builder newBuilderForType​(com.google.protobuf.AbstractMessage.BuilderParent parent)
        Overrides:
        newBuilderForType in class com.google.protobuf.AbstractMessage
      • getDefaultInstance

        public static RBAC getDefaultInstance()
      • parser

        public static com.google.protobuf.Parser<RBAC> parser()
      • getParserForType

        public com.google.protobuf.Parser<RBAC> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessage
      • getDefaultInstanceForType

        public RBAC getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder