MetadataMatcher provides a general interface to check if a given value is matched in Metadata. It uses filter and path to retrieve the value from the Metadata and then check if it’s matched to the specified value.

For example, for the following Metadata:

filter_metadata:
envoy.filters.http.rbac:
fields:
a:
struct_value:
fields:
b:
struct_value:
fields:
c:
string_value: pro
t:
list_value:
values:
- string_value: m
- string_value: n


The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value “pro” from the Metadata which is matched to the specified prefix match.

filter: envoy.filters.http.rbac
path:
- key: a
- key: b
- key: c
value:
string_match:
prefix: pr


The following MetadataMatcher is matched as the code will match one of the string values in the list at the path [a, t].

filter: envoy.filters.http.rbac
path:
- key: a
- key: t
value:
list_match:
one_of:
string_match:
exact: m


An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to enforce access control based on dynamic metadata in a request. See Permission and Principal.

{
"filter": "...",
"path": [],
"value": "{...}"
}

filter

(string, REQUIRED) The filter name to retrieve the Struct from the Metadata.

path

(type.matcher.v3.MetadataMatcher.PathSegment, REQUIRED) The path to retrieve the Value from the Struct.

value

(type.matcher.v3.ValueMatcher, REQUIRED) The MetadataMatcher is matched if the value retrieved by path is matched to this value.

{