package envoy.extensions.filters.http.rbac.v3

Get desktop application:
View/edit binary Protocol Buffers messages

RBAC filter config. [#next-free-field: 8]

Used in: RBACPerRoute

• optional config.rbac.v3.RBAC rules = 1

  The primary RBAC policy which will be applied globally, to all the incoming requests. * If absent, no RBAC enforcement occurs. * If set but empty, all requests are denied. .. note:: When both ``rules`` and ``matcher`` are configured, ``rules`` will be ignored.

• string rules_stat_prefix = 6

  If specified, rules will emit stats with the given prefix. This is useful for distinguishing metrics when multiple RBAC filters are configured.

• optional xds.type.matcher.v3.Matcher matcher = 4

  Match tree for evaluating RBAC actions on incoming requests. Requests not matching any matcher will be denied. * If absent, no RBAC enforcement occurs. * If set but empty, all requests are denied.

• optional config.rbac.v3.RBAC shadow_rules = 2

  Shadow policy for testing RBAC rules without enforcing them. These rules generate stats and logs but do not deny requests. If absent, no shadow RBAC policy will be applied. .. note:: When both ``shadow_rules`` and ``shadow_matcher`` are configured, ``shadow_rules`` will be ignored.

• optional xds.type.matcher.v3.Matcher shadow_matcher = 5

  If absent, no shadow matcher will be applied. Match tree for testing RBAC rules through stats and logs without enforcing them. If absent, no shadow matching occurs.

• string shadow_rules_stat_prefix = 3

  If specified, shadow rules will emit stats with the given prefix. This is useful for distinguishing metrics when multiple RBAC filters use shadow rules.

• bool track_per_rule_stats = 7

  If ``track_per_rule_stats`` is ``true``, counters will be published for each rule and shadow rule.

• optional RBAC rbac = 2

  Per-route specific RBAC configuration that overrides the global RBAC configuration. If absent, RBAC policy will be disabled for this route.