Class RBAC.Builder

  • All Implemented Interfaces:
    com.google.protobuf.Message.Builder, com.google.protobuf.MessageLite.Builder, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, RBACOrBuilder, java.lang.Cloneable
    Enclosing class:
    RBAC

    public static final class RBAC.Builder
    extends com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
    implements RBACOrBuilder
     Role Based Access Control (RBAC) provides service-level and method-level access control for a
     service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
     found. For instance, if the action is ALLOW and a matching policy is found the request should be
     allowed.
    
     RBAC can also be used to make access logging decisions by communicating with access loggers
     through dynamic metadata. When the action is LOG and at least one policy matches, the
     ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating
     the request should be logged.
    
     Here is an example of RBAC configuration. It has two policies:
    
     * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so
     does "cluster.local/ns/default/sa/superuser".
    
     * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the
     destination port is either 80 or 443.
    
     .. code-block:: yaml
    
     action: ALLOW
     policies:
     "service-admin":
     permissions:
     - any: true
     principals:
     - authenticated:
     principal_name:
     exact: "cluster.local/ns/default/sa/admin"
     - authenticated:
     principal_name:
     exact: "cluster.local/ns/default/sa/superuser"
     "product-viewer":
     permissions:
     - and_rules:
     rules:
     - header:
     name: ":method"
     string_match:
     exact: "GET"
     - url_path:
     path: { prefix: "/products" }
     - or_rules:
     rules:
     - destination_port: 80
     - destination_port: 443
     principals:
     - any: true
     
    Protobuf type envoy.config.rbac.v3.RBAC
    • Constructor Detail

      • Builder

        private Builder()
      • Builder

        private Builder​(com.google.protobuf.AbstractMessage.BuilderParent parent)
    • Method Detail

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()
      • internalGetMapFieldReflection

        protected com.google.protobuf.MapFieldReflectionAccessor internalGetMapFieldReflection​(int number)
        Overrides:
        internalGetMapFieldReflection in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
      • internalGetMutableMapFieldReflection

        protected com.google.protobuf.MapFieldReflectionAccessor internalGetMutableMapFieldReflection​(int number)
        Overrides:
        internalGetMutableMapFieldReflection in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessage.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
      • maybeForceBuilderInitialization

        private void maybeForceBuilderInitialization()
      • clear

        public RBAC.Builder clear()
        Specified by:
        clear in interface com.google.protobuf.Message.Builder
        Specified by:
        clear in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        clear in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
      • getDescriptorForType

        public com.google.protobuf.Descriptors.Descriptor getDescriptorForType()
        Specified by:
        getDescriptorForType in interface com.google.protobuf.Message.Builder
        Specified by:
        getDescriptorForType in interface com.google.protobuf.MessageOrBuilder
        Overrides:
        getDescriptorForType in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
      • getDefaultInstanceForType

        public RBAC getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder
      • build

        public RBAC build()
        Specified by:
        build in interface com.google.protobuf.Message.Builder
        Specified by:
        build in interface com.google.protobuf.MessageLite.Builder
      • buildPartial

        public RBAC buildPartial()
        Specified by:
        buildPartial in interface com.google.protobuf.Message.Builder
        Specified by:
        buildPartial in interface com.google.protobuf.MessageLite.Builder
      • buildPartial0

        private void buildPartial0​(RBAC result)
      • mergeFrom

        public RBAC.Builder mergeFrom​(com.google.protobuf.Message other)
        Specified by:
        mergeFrom in interface com.google.protobuf.Message.Builder
        Overrides:
        mergeFrom in class com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>
      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessage.Builder<RBAC.Builder>
      • mergeFrom

        public RBAC.Builder mergeFrom​(com.google.protobuf.CodedInputStream input,
                                      com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                               throws java.io.IOException
        Specified by:
        mergeFrom in interface com.google.protobuf.Message.Builder
        Specified by:
        mergeFrom in interface com.google.protobuf.MessageLite.Builder
        Overrides:
        mergeFrom in class com.google.protobuf.AbstractMessage.Builder<RBAC.Builder>
        Throws:
        java.io.IOException
      • getActionValue

        public int getActionValue()
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getActionValue in interface RBACOrBuilder
        Returns:
        The enum numeric value on the wire for action.
      • setActionValue

        public RBAC.Builder setActionValue​(int value)
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Parameters:
        value - The enum numeric value on the wire for action to set.
        Returns:
        This builder for chaining.
      • getAction

        public RBAC.Action getAction()
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Specified by:
        getAction in interface RBACOrBuilder
        Returns:
        The action.
      • setAction

        public RBAC.Builder setAction​(RBAC.Action value)
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Parameters:
        value - The action to set.
        Returns:
        This builder for chaining.
      • clearAction

        public RBAC.Builder clearAction()
         The action to take if a policy matches. Every action either allows or denies a request,
         and can also carry out action-specific operations.
        
         Actions:
        
         * ``ALLOW``: Allows the request if and only if there is a policy that matches
         the request.
         * ``DENY``: Allows the request if and only if there are no policies that
         match the request.
         * ``LOG``: Allows all requests. If at least one policy matches, the dynamic
         metadata key ``access_log_hint`` is set to the value ``true`` under the shared
         key namespace ``envoy.common``. If no policies match, it is set to ``false``.
         Other actions do not modify this key.
         
        .envoy.config.rbac.v3.RBAC.Action action = 1 [(.validate.rules) = { ... }
        Returns:
        This builder for chaining.
      • getPoliciesCount

        public int getPoliciesCount()
        Description copied from interface: RBACOrBuilder
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesCount in interface RBACOrBuilder
      • containsPolicies

        public boolean containsPolicies​(java.lang.String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        containsPolicies in interface RBACOrBuilder
      • getPoliciesMap

        public java.util.Map<java.lang.String,​Policy> getPoliciesMap()
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesMap in interface RBACOrBuilder
      • getPoliciesOrDefault

        public Policy getPoliciesOrDefault​(java.lang.String key,
                                           Policy defaultValue)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrDefault in interface RBACOrBuilder
      • getPoliciesOrThrow

        public Policy getPoliciesOrThrow​(java.lang.String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
        Specified by:
        getPoliciesOrThrow in interface RBACOrBuilder
      • removePolicies

        public RBAC.Builder removePolicies​(java.lang.String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      • getMutablePolicies

        @Deprecated
        public java.util.Map<java.lang.String,​Policy> getMutablePolicies()
        Deprecated.
        Use alternate mutation accessors instead.
      • putPolicies

        public RBAC.Builder putPolicies​(java.lang.String key,
                                        Policy value)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      • putAllPolicies

        public RBAC.Builder putAllPolicies​(java.util.Map<java.lang.String,​Policy> values)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      • putPoliciesBuilderIfAbsent

        public Policy.Builder putPoliciesBuilderIfAbsent​(java.lang.String key)
         Maps from policy name to policy. A match occurs when at least one policy matches the request.
         The policies are evaluated in lexicographic order of the policy name.
         
        map<string, .envoy.config.rbac.v3.Policy> policies = 2;
      • hasAuditLoggingOptions

        public boolean hasAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        hasAuditLoggingOptions in interface RBACOrBuilder
        Returns:
        Whether the auditLoggingOptions field is set.
      • getAuditLoggingOptions

        public RBAC.AuditLoggingOptions getAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        getAuditLoggingOptions in interface RBACOrBuilder
        Returns:
        The auditLoggingOptions.
      • setAuditLoggingOptions

        public RBAC.Builder setAuditLoggingOptions​(RBAC.AuditLoggingOptions value)
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      • setAuditLoggingOptions

        public RBAC.Builder setAuditLoggingOptions​(RBAC.AuditLoggingOptions.Builder builderForValue)
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      • mergeAuditLoggingOptions

        public RBAC.Builder mergeAuditLoggingOptions​(RBAC.AuditLoggingOptions value)
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      • clearAuditLoggingOptions

        public RBAC.Builder clearAuditLoggingOptions()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      • getAuditLoggingOptionsBuilder

        public RBAC.AuditLoggingOptions.Builder getAuditLoggingOptionsBuilder()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
      • getAuditLoggingOptionsOrBuilder

        public RBAC.AuditLoggingOptionsOrBuilder getAuditLoggingOptionsOrBuilder()
         Audit logging options that include the condition for audit logging to happen
         and audit logger configurations.
        
         [#not-implemented-hide:]
         
        .envoy.config.rbac.v3.RBAC.AuditLoggingOptions audit_logging_options = 3;
        Specified by:
        getAuditLoggingOptionsOrBuilder in interface RBACOrBuilder