.. _arch_overview_rbac: Role Based Access Control ========================= * :ref:`Network filter configuration `. * :ref:`HTTP filter configuration `. The Role Based Access Control (RBAC) filter checks if the incoming request is authorized or not. Unlike external authorization, the check of RBAC filter happens in the Envoy process and is based on a list of policies from the filter config. The RBAC filter can be either configured as a :ref:`network filter `, or as a :ref:`HTTP filter ` or both. If the request is deemed unauthorized by the network filter then the connection will be closed. If the request is deemed unauthorized by the HTTP filter the request will be denied with 403 (Forbidden) response. Policy ------ The RBAC filter checks the request based on a list of :ref:`policies `. A policy consists of a list of :ref:`permissions ` and :ref:`principals `. The permission specifies the actions of the request, for example, the method and path of a HTTP request. The principal specifies the downstream client identities of the request, for example, the URI SAN of the downstream client certificate. A policy is matched if its permissions and principals are matched at the same time. Shadow Policy ------------- The filter can be configured with a :ref:`shadow policy ` that doesn't have any effect (i.e. not deny the request) but only emit stats and log the result. This is useful for testing a rule before applying in production. .. _arch_overview_condition: Condition --------- In addition to the pre-defined permissions and principals, a policy may optionally provide an authorization condition written in the `Common Expression Language `_. The condition specifies an extra clause that must be satisfied for the policy to match. For example, the following condition checks whether the request path starts with `/v1/`: .. code-block:: yaml call_expr: function: startsWith args: - select_expr: operand: ident_expr: name: request field: path - const_expr: string_value: /v1/ The following attributes are exposed to the language runtime: .. csv-table:: :header: Attribute, Type, Description :widths: 1, 1, 2 request.path, string, The path portion of the URL request.url_path, string, The path portion of the URL without the query string request.host, string, The host portion of the URL request.scheme, string, The scheme portion of the URL request.method, string, Request method request.headers, string map, All request headers request.referer, string, Referer request header request.useragent, string, User agent request header request.time, timestamp, Time of the first byte received request.duration, duration, Total duration of the request request.id, string, Request ID request.size, int, Size of the request body request.total_size, int, Total size of the request including the headers request.protocol, string, Request protocol e.g. "HTTP/2" response.code, int, Response HTTP status code response.code_details, string, Internal response code details (subject to change) response.grpc_status, int, Response gRPC status code response.headers, string map, All response headers response.trailers, string map, All response trailers response.size, int, Size of the response body response.total_size, int, Total size of the response including the approximate uncompressed size of the headers and the trailers response.flags, int, Additional details about the response beyond the standard response code source.address, string, Downstream connection remote address source.port, int, Downstream connection remote port destination.address, string, Downstream connection local address destination.port, int, Downstream connection local port metadata, :ref:`Metadata`, Dynamic metadata filter_state, map string to bytes, Filter state mapping data names to their serialized string value connection.mtls, bool, Indicates whether TLS is applied to the downstream connection and the peer ceritificate is presented connection.requested_server_name, string, Requested server name in the downstream TLS connection connection.tls_version, string, TLS version of the downstream TLS connection connection.subject_local_certificate, string, The subject field of the local certificate in the downstream TLS connection connection.subject_peer_certificate, string, The subject field of the peer certificate in the downstream TLS connection connection.dns_san_local_certificate, string, The first DNS entry in the SAN field of the local certificate in the downstream TLS connection connection.dns_san_peer_certificate, string, The first DNS entry in the SAN field of the peer certificate in the downstream TLS connection connection.uri_san_local_certificate, string, The first URI entry in the SAN field of the local certificate in the downstream TLS connection connection.uri_san_peer_certificate, string, The first URI entry in the SAN field of the peer certificate in the downstream TLS connection connection.id, uint, Downstream connection ID upstream.address, string, Upstream connection remote address upstream.port, int, Upstream connection remote port upstream.tls_version, string, TLS version of the upstream TLS connection upstream.subject_local_certificate, string, The subject field of the local certificate in the upstream TLS connection upstream.subject_peer_certificate, string, The subject field of the peer certificate in the upstream TLS connection upstream.dns_san_local_certificate, string, The first DNS entry in the SAN field of the local certificate in the upstream TLS connection upstream.dns_san_peer_certificate, string, The first DNS entry in the SAN field of the peer certificate in the upstream TLS connection upstream.uri_san_local_certificate, string, The first URI entry in the SAN field of the local certificate in the upstream TLS connection upstream.uri_san_peer_certificate, string, The first URI entry in the SAN field of the peer certificate in the upstream TLS connection upstream.local_address, string, The local address of the upstream connection upstream.transport_failure_reason, string, The upstream transport failure reason e.g. certificate validation failed Most attributes are optional and provide the default value based on the type of the attribute. CEL supports presence checks for attributes and maps using `has()` syntax, e.g. `has(request.referer)`.