Package: rbac.options.gloo.solo.io


Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto


Global RBAC settings

"requireRbac": bool

Field Type Description
requireRbac bool Require RBAC for all virtual hosts. A vhost without an RBAC policy set will fallback to a deny-all policy.


RBAC settings for Virtual Hosts and Routes

"disable": bool
"policies": map<string, .rbac.options.gloo.solo.io.Policy>

Field Type Description
disable bool Disable RBAC checks on this resource (default false). This is useful to allow access to static resources/login page without RBAC checks. If provided on a route, all route settings override any vhost settings.
policies map<string, .rbac.options.gloo.solo.io.Policy> Named policies to apply.


"principals": []rbac.options.gloo.solo.io.Principal
"permissions": .rbac.options.gloo.solo.io.Permissions
"nestedClaimDelimiter": string

Field Type Description
principals []rbac.options.gloo.solo.io.Principal Principals in this policy.
permissions .rbac.options.gloo.solo.io.Permissions Permissions granted to the principals.
nestedClaimDelimiter string The delimiter to use when specifying nested claim names within principals. Default is an empty string, which disables nested claim functionality. This is commonly set to ., allowing for nested claim names of the form parent.child.grandchild.


An RBAC principal - the identity entity (usually a user or a service account).

"jwtPrincipal": .rbac.options.gloo.solo.io.JWTPrincipal

Field Type Description
jwtPrincipal .rbac.options.gloo.solo.io.JWTPrincipal


A JWT principal. To use this, JWT option MUST be enabled.

"claims": map<string, string>
"provider": string
"matcher": .rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher

Field Type Description
claims map<string, string> Set of claims that make up this principal. Commonly, the ‘iss’ and ‘sub’ or ‘email’ claims are used. If you specify the path for a nested claim, such as ‘parent.child.foo’, you must also specify a non-empty string value for the nested_claim_delimiter field in the Policy.
provider string Verify that the JWT came from a specific provider. This usually can be left empty and a provider will be chosen automatically.
matcher .rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher The matcher to use when evaluating this principal. By default, exact string comparison (EXACT_STRING) is used.


Used to specify how claims should be matched to the value.

Name Description
EXACT_STRING The JWT claim value is a string that exactly matches the value.
BOOLEAN The JWT claim value is a boolean that matches the value.
LIST_CONTAINS The JWT claim value is a list that contains a string that exactly matches the value.


What permissions should be granted. An empty field means allow-all. If more than one field is added, all of them need to match.

"pathPrefix": string
"methods": []string

Field Type Description
pathPrefix string Paths that have this prefix will be allowed.
methods []string What http methods (GET, POST, …) are allowed.