Rbac
Package: rbac.options.gloo.solo.io
Types:
Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto
Settings
Global RBAC settings
"requireRbac": bool
Field | Type | Description |
---|---|---|
requireRbac |
bool |
Require RBAC for all virtual hosts. A vhost without an RBAC policy set will fallback to a deny-all policy. |
ExtensionSettings
RBAC settings for Virtual Hosts and Routes
"disable": bool
"policies": map<string, .rbac.options.gloo.solo.io.Policy>
Field | Type | Description |
---|---|---|
disable |
bool |
Disable RBAC checks on this resource (default false). This is useful to allow access to static resources/login page without RBAC checks. If provided on a route, all route settings override any vhost settings. |
policies |
map<string, .rbac.options.gloo.solo.io.Policy> |
Named policies to apply. |
Policy
"principals": []rbac.options.gloo.solo.io.Principal
"permissions": .rbac.options.gloo.solo.io.Permissions
"nestedClaimDelimiter": string
Field | Type | Description |
---|---|---|
principals |
[]rbac.options.gloo.solo.io.Principal | Principals in this policy. |
permissions |
.rbac.options.gloo.solo.io.Permissions | Permissions granted to the principals. |
nestedClaimDelimiter |
string |
The delimiter to use when specifying nested claim names within principals. Default is an empty string, which disables nested claim functionality. This is commonly set to . , allowing for nested claim names of the form parent.child.grandchild . |
Principal
An RBAC principal - the identity entity (usually a user or a service account).
"jwtPrincipal": .rbac.options.gloo.solo.io.JWTPrincipal
Field | Type | Description |
---|---|---|
jwtPrincipal |
.rbac.options.gloo.solo.io.JWTPrincipal |
JWTPrincipal
A JWT principal. To use this, JWT option MUST be enabled.
"claims": map<string, string>
"provider": string
"matcher": .rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher
Field | Type | Description |
---|---|---|
claims |
map<string, string> |
Set of claims that make up this principal. Commonly, the ‘iss’ and ‘sub’ or ‘email’ claims are used. If you specify the path for a nested claim, such as ‘parent.child.foo’, you must also specify a non-empty string value for the nested_claim_delimiter field in the Policy. |
provider |
string |
Verify that the JWT came from a specific provider. This usually can be left empty and a provider will be chosen automatically. |
matcher |
.rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher | The matcher to use when evaluating this principal. By default, exact string comparison (EXACT_STRING) is used. |
ClaimMatcher
Used to specify how claims should be matched to the value.
Name | Description |
---|---|
EXACT_STRING |
The JWT claim value is a string that exactly matches the value. |
BOOLEAN |
The JWT claim value is a boolean that matches the value. |
LIST_CONTAINS |
The JWT claim value is a list that contains a string that exactly matches the value. |
Permissions
What permissions should be granted. An empty field means allow-all. If more than one field is added, all of them need to match.
"pathPrefix": string
"methods": []string
Field | Type | Description |
---|---|---|
pathPrefix |
string |
Paths that have this prefix will be allowed. |
methods |
[]string |
What http methods (GET, POST, …) are allowed. |