Home Original page

xds: Envoy proto sync to 2024-11-11 (#11816) · grpc/grpc-java@b44ebce

@@ -28,6 +28,14 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;

28282929

// [#protodoc-title: Role Based Access Control (RBAC)]

303031+

enum MetadataSource {

32+

// Query :ref:`dynamic metadata <well_known_dynamic_metadata>`

33+

DYNAMIC = 0;

34+35+

// Query :ref:`route metadata <envoy_v3_api_field_config.route.v3.Route.metadata>`

36+

ROUTE = 1;

37+

}

38+3139

// Role Based Access Control (RBAC) provides service-level and method-level access control for a

3240

// service. Requests are allowed or denied based on the ``action`` and whether a matching policy is

3341

// found. For instance, if the action is ALLOW and a matching policy is found the request should be

@@ -193,8 +201,27 @@ message Policy {

193201

[(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"];

194202

}

195203204+

// SourcedMetadata enables matching against metadata from different sources in the request processing

205+

// pipeline. It extends the base MetadataMatcher functionality by allowing specification of where the

206+

// metadata should be sourced from, rather than only matching against dynamic metadata.

207+

//

208+

// The matcher can be configured to look up metadata from:

209+

// * Dynamic metadata: Runtime metadata added by filters during request processing

210+

// * Route metadata: Static metadata configured on the route entry

211+

message SourcedMetadata {

212+

// Metadata matcher configuration that defines what metadata to match against. This includes the filter name,

213+

// metadata key path, and expected value.

214+

type.matcher.v3.MetadataMatcher metadata_matcher = 1

215+

[(validate.rules).message = {required: true}];

216+217+

// Specifies which metadata source should be used for matching. If not set,

218+

// defaults to DYNAMIC (dynamic metadata). Set to ROUTE to match against

219+

// static metadata configured on the route entry.

220+

MetadataSource metadata_source = 2 [(validate.rules).enum = {defined_only: true}];

221+

}

222+196223

// Permission defines an action (or actions) that a principal can take.

197-

// [#next-free-field: 14]

224+

// [#next-free-field: 15]

198225

message Permission {

199226

option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";

200227

@@ -237,8 +264,10 @@ message Permission {

237264

// A port number range that describes a range of destination ports connecting to.

238265

type.v3.Int32Range destination_port_range = 11;

239266240-

// Metadata that describes additional information about the action.

241-

type.matcher.v3.MetadataMatcher metadata = 7;

267+

// Metadata that describes additional information about the action. This field is deprecated; please use

268+

// :ref:`sourced_metadata<envoy_v3_api_field_config.rbac.v3.Permission.sourced_metadata>` instead.

269+

type.matcher.v3.MetadataMatcher metadata = 7

270+

[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

242271243272

// Negates matching the provided permission. For instance, if the value of

244273

// ``not_rule`` would match, this permission would not match. Conversely, if

@@ -274,12 +303,16 @@ message Permission {

274303

// URI template path matching.

275304

// [#extension-category: envoy.path.match]

276305

core.v3.TypedExtensionConfig uri_template = 13;

306+307+

// Matches against metadata from either dynamic state or route configuration. Preferred over the

308+

// ``metadata`` field as it provides more flexibility in metadata source selection.

309+

SourcedMetadata sourced_metadata = 14;

277310

}

278311

}

279312280313

// Principal defines an identity or a group of identities for a downstream

281314

// subject.

282-

// [#next-free-field: 13]

315+

// [#next-free-field: 14]

283316

message Principal {

284317

option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal";

285318

@@ -356,8 +389,10 @@ message Principal {

356389

// A URL path on the incoming HTTP request. Only available for HTTP.

357390

type.matcher.v3.PathMatcher url_path = 9;

358391359-

// Metadata that describes additional information about the principal.

360-

type.matcher.v3.MetadataMatcher metadata = 7;

392+

// Metadata that describes additional information about the principal. This field is deprecated; please use

393+

// :ref:`sourced_metadata<envoy_v3_api_field_config.rbac.v3.Principal.sourced_metadata>` instead.

394+

type.matcher.v3.MetadataMatcher metadata = 7

395+

[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

361396362397

// Identifies the principal using a filter state object.

363398

type.matcher.v3.FilterStateMatcher filter_state = 12;

@@ -366,6 +401,10 @@ message Principal {

366401

// ``not_id`` would match, this principal would not match. Conversely, if the

367402

// value of ``not_id`` would not match, this principal would match.

368403

Principal not_id = 8;

404+405+

// Matches against metadata from either dynamic state or route configuration. Preferred over the

406+

// ``metadata`` field as it provides more flexibility in metadata source selection.

407+

SourcedMetadata sourced_metadata = 13;

369408

}

370409

}

371410