Role Based Access Control
The Role Based Access Control (RBAC) filter checks if the incoming request is authorized or not. Unlike external authorization, the check of RBAC filter happens in the Envoy process and is based on a list of policies from the filter config.
The RBAC filter can be either configured as a network filter, or as a HTTP filter or both. If the request is deemed unauthorized by the network filter then the connection will be closed. If the request is deemed unauthorized by the HTTP filter the request will be denied with 403 (Forbidden) response.
The RBAC filter’s rules can be either configured with a list of policies or the matching API.
Policy
The RBAC filter checks the request based on a list of policies. A policy consists of a list of permissions and principals. The permission specifies the actions of the request, for example, the method and path of a HTTP request. The principal specifies the downstream client identities of the request, for example, the URI SAN of the downstream client certificate. A policy is matched if its permissions and principals are matched at the same time.
Matcher
Instead of specifying policies, the RBAC filter can also be configured with the matching API. Network inputs are available for both RBAC network filter and HTTP filter, and HTTP inputs are only available in HTTP filter.
RBAC matcher extensions are not compatible with the matching API.
Shadow Policy and Shadow Matcher
The filter can be configured with a shadow policy or a shadow matcher that doesn’t have any effect (i.e. not deny the request) but only emit stats and log the result. This is useful for testing a rule before applying in production.
Condition
In addition to the pre-defined permissions and principals, a policy may optionally provide an
authorization condition written in the Common Expression Language. The condition specifies an extra
clause that must be satisfied for the policy to match. For example, the following condition checks
whether the request path starts with /v1/
:
call_expr:
function: startsWith
args:
- select_expr:
operand:
ident_expr:
name: request
field: path
- const_expr:
string_value: /v1/
Envoy provides a number of request attributes
for expressive policies. Most attributes are optional and provide the default
value based on the type of the attribute. CEL supports presence checks for
attributes and maps using has()
syntax, e.g. has(request.referer)
.