Navigation :
Getting Started
What is Gloo Gateway?
Setup
Guides
Operations
Reference
-
Open Source Attribution
-
API Reference
-- address.proto
-- address.proto
-- advanced_http.proto
-- advanced_http.proto
-- ai.proto
-- als.proto
-- annotations.proto
-- any.proto
-- api.proto
-- apple_dns_resolver.proto
-- artifact.proto
-- authority.proto
-- aws.proto
-- aws_ec2.proto
-- azure.proto
-- backoff.proto
-- base.proto
-- base.proto
-- buffer.proto
-- caching.proto
-- cares_dns_resolver.proto
-- cidr.proto
-- cipher_detection_input.proto
-- circuit_breaker.proto
-- cluster.proto
-- config.proto
-- config.proto
-- connection.proto
-- connection_limit.proto
-- consul.proto
-- context_params.proto
-- core.proto
-- cors.proto
-- csrf.proto
-- custom_tag.proto
-- datadog.proto
-- deprecation.proto
-- descriptor.proto
-- discovery.proto
-- dlp.proto
-- domain.proto
-- duration.proto
-- dynamic_forward_proxy.proto
-- empty.proto
-- endpoint.proto
-- envoy.glooe.solo.io.project
-- envoy_glooe_solo_io.project
-- event_service_config.proto
-- ext.proto
-- extauth.proto
-- extension.proto
-- extension.proto
-- extensions.proto
-- external_options.proto
-- external_processor.proto
-- extproc.proto
-- failover.proto
-- failover.proto
-- fault.proto
-- field_mask.proto
-- filter.proto
-- gateway.proto
-- gateway.solo.io.project
-- gateway_solo_io.project
-- gcp.proto
-- gloo.solo.io.project
-- gloo_solo_io.project
-- gloo_validation.proto
-- glooe.solo.io.project
-- glooe_solo_io.project
-- graphql.proto
-- graphql.proto
-- graphql.proto
-- grpc.proto
-- grpc_json.proto
-- grpc_output_sink.proto
-- grpc_service.proto
-- grpc_web.proto
-- gzip.proto
-- hcm.proto
-- header_validation.proto
-- headers.proto
-- health_check.proto
-- health_check.proto
-- healthcheck.proto
-- http.proto
-- http.proto
-- http_gateway.proto
-- http_inputs.proto
-- http_output_sink.proto
-- http_path.proto
-- http_status.proto
-- http_uri.proto
-- http_uri.proto
-- ingress.proto
-- instance.proto
-- ip.proto
-- jwt.proto
-- kubernetes.proto
-- lbhash.proto
-- load_balancer.proto
-- local_ratelimit.proto
-- matchable_http_gateway.proto
-- matchable_tcp_gateway.proto
-- matcher.proto
-- matchers.proto
-- metadata.proto
-- metadata.proto
-- metrics.proto
-- migrate.proto
-- migrate.proto
-- mutation_rules.proto
-- opencensus.proto
-- opentelemetry.proto
-- options.proto
-- orca.proto
-- outlier_detection.proto
-- parameters.proto
-- percent.proto
-- percent.proto
-- pipe.proto
-- placement.proto
-- processing_mode.proto
-- protocol.proto
-- protocol_upgrade.proto
-- proxy.proto
-- proxy_endpoint.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxy_protocol.proto
-- proxylatency.proto
-- proxyprotocol.proto
-- query_options.proto
-- query_options.proto
-- range.proto
-- range.proto
-- range.proto
-- range.proto
-- ratelimit.proto
-- ratelimit.proto
-- ratelimit.proto
-- rbac.proto
-- ref.proto
-- regex.proto
-- regex.proto
-- resolver.proto
-- resource.proto
-- resource_locator.proto
-- resource_name.proto
-- rest.proto
-- retries.proto
-- route.proto
-- route_components.proto
-- route_table.proto
-- router.proto
-- sanitize.proto
-- secret.proto
-- security.proto
-- selectors.proto
-- semantic_version.proto
-- semantic_version.proto
-- sensitive.proto
-- sensitive.proto
-- server_name_matcher.proto
-- service.proto
-- service_spec.proto
-- settings.proto
-- shadowing.proto
-- snap.proto
-- socket_option.proto
-- socket_option.proto
-- solo-discovery-service.proto
-- solo-kit.proto
-- solo_jwt_authn.proto
-- solo_xff_offset_filter.proto
-- source_context.proto
-- ssl.proto
-- ssl.proto
-- stages.proto
-- stateful_session.proto
-- statefulsession.proto
-- statefulsession.proto
-- static.proto
-- stats.proto
-- status.proto
-- status.proto
-- status.proto
-- status.proto
-- stitching.proto
-- string.proto
-- string.proto
-- struct.proto
-- subset.proto
-- subset_spec.proto
-- tap.proto
-- tap.proto
-- tcp.proto
-- timestamp.proto
-- tls_cipher_inspector.proto
-- trace.proto
-- tracing.proto
-- transformation.proto
-- transformation.proto
-- transformation.proto
-- type.proto
-- typed_struct.proto
-- upstream.proto
-- upstream_proxy_protocol.proto
-- upstream_wait_filter.proto
-- version.proto
-- versioning.proto
-- versioning.proto
-- virtual_service.proto
-- waf.proto
-- waf.proto
-- wasm.proto
-- wasm.proto
-- wasm.proto
-- wrappers.proto
-- xslt_transformer.proto
-- zipkin.proto
-
Command Line Reference
-
Changelog
-
Helm Chart Values
-
Security Updates
- Security Posture
- Gloo Gateway Port Reference
- Release Support
-
Cheatsheets
Contribution Guide
Get help and support
rbac.proto
Package: rbac.options.gloo.solo.io
Types:
Settings
Global RBAC settings
Field
Type
Description
requireRbac
bool
Require RBAC for all virtual hosts. A vhost without an RBAC policy set will fallback to a deny-all policy.
ExtensionSettings
RBAC settings for Virtual Hosts and Routes
"disable": bool
"policies": map<string, .rbac.options.gloo.solo.io.Policy>
Field
Type
Description
disable
bool
Disable RBAC checks on this resource (default false). This is useful to allow access to static resources/login page without RBAC checks. If provided on a route, all route settings override any vhost settings.
policies
map<string, .rbac.options.gloo.solo.io.Policy>
Named policies to apply.
Policy
"principals": [] rbac.options.gloo.solo.io.Principal
"permissions": .rbac.options.gloo.solo.io.Permissions
"nestedClaimDelimiter": string
Field
Type
Description
principals
[]rbac.options.gloo.solo.io.Principal
Principals in this policy.
permissions
.rbac.options.gloo.solo.io.Permissions
Permissions granted to the principals.
nestedClaimDelimiter
string
The delimiter to use when specifying nested claim names within principals. Default is an empty string, which disables nested claim functionality. This is commonly set to .
, allowing for nested claim names of the form parent.child.grandchild
.
Principal
An RBAC principal - the identity entity (usually a user or a service account).
"jwtPrincipal": .rbac.options.gloo.solo.io.JWTPrincipal
JWTPrincipal
A JWT principal. To use this, JWT option MUST be enabled.
"claims": map<string, string>
"provider": string
"matcher": .rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher
Field
Type
Description
claims
map<string, string>
Set of claims that make up this principal. Commonly, the ‘iss’ and ‘sub’ or ‘email’ claims are used. If you specify the path for a nested claim, such as ‘parent.child.foo’, you must also specify a non-empty string value for the nested_claim_delimiter
field in the Policy.
provider
string
Verify that the JWT came from a specific provider. This usually can be left empty and a provider will be chosen automatically.
matcher
.rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher
The matcher to use when evaluating this principal. By default, exact string comparison (EXACT_STRING) is used.
ClaimMatcher
Used to specify how claims should be matched to the value.
Name
Description
EXACT_STRING
The JWT claim value is a string that exactly matches the value.
BOOLEAN
The JWT claim value is a boolean that matches the value.
LIST_CONTAINS
The JWT claim value is a list that contains a string that exactly matches the value.
Permissions
What permissions should be granted. An empty field means allow-all.
If more than one field is added, all of them need to match.
"pathPrefix": string
"methods": [] string
Field
Type
Description
pathPrefix
string
Paths that have this prefix will be allowed.
methods
[]string
What http methods (GET, POST, …) are allowed.