.. _envoy_v3_api_file_envoy/extensions/filters/http/rbac/v3/rbac.proto: RBAC ==== .. _extension_envoy.filters.http.rbac: This extension may be referenced by the qualified name *envoy.filters.http.rbac* .. note:: This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted. Role-Based Access Control :ref:`configuration overview `. .. _envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBAC: extensions.filters.http.rbac.v3.RBAC ------------------------------------ `[extensions.filters.http.rbac.v3.RBAC proto] `_ RBAC filter config. .. code-block:: json { "rules": "{...}", "shadow_rules": "{...}" } .. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.rules: rules (:ref:`config.rbac.v3.RBAC `) Specify the RBAC rules to be applied globally. If absent, no enforcing RBAC policy will be applied. .. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules: shadow_rules (:ref:`config.rbac.v3.RBAC `) Shadow rules are not enforced by the filter (i.e., returning a 403) but will emit stats and logs and can be used for rule testing. If absent, no shadow RBAC policy will be applied. .. _envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBACPerRoute: extensions.filters.http.rbac.v3.RBACPerRoute -------------------------------------------- `[extensions.filters.http.rbac.v3.RBACPerRoute proto] `_ .. code-block:: json { "rbac": "{...}" } .. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBACPerRoute.rbac: rbac (:ref:`extensions.filters.http.rbac.v3.RBAC `) Override the global configuration of the filter with this new config. If absent, the global RBAC policy will be disabled for this route.