.. _envoy_v3_api_file_envoy/extensions/filters/http/rbac/v3/rbac.proto:

RBAC
====


.. _extension_envoy.filters.http.rbac:

This extension may be referenced by the qualified name *envoy.filters.http.rbac*

.. note::
  

  This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.

.. tip::
  This extension extends and can be used with the following extension category:


  - :ref:`envoy.filters.http <extension_category_envoy.filters.http>`

Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.

.. _envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBAC:

extensions.filters.http.rbac.v3.RBAC
------------------------------------

`[extensions.filters.http.rbac.v3.RBAC proto] <https://github.com/envoyproxy/envoy/blob/v1.18.4/api/envoy/extensions/filters/http/rbac/v3/rbac.proto#L19>`_

RBAC filter config.

.. code-block:: json

  {
    "rules": "{...}",
    "shadow_rules": "{...}",
    "shadow_rules_stat_prefix": "..."
  }

.. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.rules:

rules
  (:ref:`config.rbac.v3.RBAC <envoy_v3_api_msg_config.rbac.v3.RBAC>`) Specify the RBAC rules to be applied globally.
  If absent, no enforcing RBAC policy will be applied.
  
  
.. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules:

shadow_rules
  (:ref:`config.rbac.v3.RBAC <envoy_v3_api_msg_config.rbac.v3.RBAC>`) Shadow rules are not enforced by the filter (i.e., returning a 403)
  but will emit stats and logs and can be used for rule testing.
  If absent, no shadow RBAC policy will be applied.
  
  
.. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBAC.shadow_rules_stat_prefix:

shadow_rules_stat_prefix
  (`string <https://developers.google.com/protocol-buffers/docs/proto#scalar>`_) If specified, shadow rules will emit stats with the given prefix.
  This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
  shadow rules.
  
  


.. _envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBACPerRoute:

extensions.filters.http.rbac.v3.RBACPerRoute
--------------------------------------------

`[extensions.filters.http.rbac.v3.RBACPerRoute proto] <https://github.com/envoyproxy/envoy/blob/v1.18.4/api/envoy/extensions/filters/http/rbac/v3/rbac.proto#L38>`_


.. code-block:: json

  {
    "rbac": "{...}"
  }

.. _envoy_v3_api_field_extensions.filters.http.rbac.v3.RBACPerRoute.rbac:

rbac
  (:ref:`extensions.filters.http.rbac.v3.RBAC <envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBAC>`) Override the global configuration of the filter with this new config.
  If absent, the global RBAC policy will be disabled for this route.