Package io.grpc.xds.internal.rbac.engine
Class GrpcAuthorizationEngine
java.lang.Object
io.grpc.xds.internal.rbac.engine.GrpcAuthorizationEngine
Implementation of gRPC server access control based on envoy RBAC protocol:
https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto
One GrpcAuthorizationEngine is initialized with one action type and a list of policies. Policies are examined sequentially in order in an any match fashion, and the first matched policy will be returned. If not matched at all, the opposite action type is returned as a result.
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic enum
static class
Always true matcher.static class
static class
Represents authorization config policy that the engine will evaluate against.static class
An authorization decision provides information about the decision type and the policy name identifier based on the authorization engine evaluation.static class
static class
static class
static class
static class
private static final class
static class
Negate matcher.static interface
static class
static class
static class
Implements a top levelGrpcAuthorizationEngine.Matcher
for a single RBAC policy configuration per envoy protocol: https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/rbac/v3/rbac.proto#config-rbac-v3-policy.static class
static class
-
Field Summary
FieldsModifier and TypeFieldDescriptionprivate final GrpcAuthorizationEngine.AuthConfig
private static final Logger
-
Constructor Summary
ConstructorsConstructorDescriptionInstantiated with envoy policyMatcher configuration. -
Method Summary
Modifier and TypeMethodDescriptionevaluate
(io.grpc.Metadata metadata, io.grpc.ServerCall<?, ?> serverCall) Return the auth decision for the request argument against the policies.
-
Field Details
-
log
-
authConfig
-
-
Constructor Details
-
GrpcAuthorizationEngine
Instantiated with envoy policyMatcher configuration.
-
-
Method Details
-
evaluate
public GrpcAuthorizationEngine.AuthDecision evaluate(io.grpc.Metadata metadata, io.grpc.ServerCall<?, ?> serverCall) Return the auth decision for the request argument against the policies.
-