Rbac
Package: rbac.options.gloo.solo.io
Types:
Source File: github.com/solo-io/gloo/projects/gloo/api/v1/enterprise/options/rbac/rbac.proto
Settings
Global RBAC settings
"requireRbac": bool
| Field | Type | Description |
|---|---|---|
requireRbac |
bool |
Require RBAC for all virtual hosts. A vhost without an RBAC policy set will fallback to a deny-all policy. |
ExtensionSettings
RBAC settings for Virtual Hosts and Routes
"disable": bool
"policies": map<string, .rbac.options.gloo.solo.io.Policy>
| Field | Type | Description |
|---|---|---|
disable |
bool |
Disable RBAC checks on this resource (default false). This is useful to allow access to static resources/login page without RBAC checks. If provided on a route, all route settings override any vhost settings. |
policies |
map<string, .rbac.options.gloo.solo.io.Policy> |
Named policies to apply. |
Policy
"principals": []rbac.options.gloo.solo.io.Principal
"permissions": .rbac.options.gloo.solo.io.Permissions
"nestedClaimDelimiter": string
| Field | Type | Description |
|---|---|---|
principals |
[]rbac.options.gloo.solo.io.Principal | Principals in this policy. |
permissions |
.rbac.options.gloo.solo.io.Permissions | Permissions granted to the principals. |
nestedClaimDelimiter |
string |
The delimiter to use when specifying nested claim names within principals. Default is an empty string, which disables nested claim functionality. This is commonly set to ., allowing for nested claim names of the form parent.child.grandchild. |
Principal
An RBAC principal - the identity entity (usually a user or a service account).
"jwtPrincipal": .rbac.options.gloo.solo.io.JWTPrincipal
| Field | Type | Description |
|---|---|---|
jwtPrincipal |
.rbac.options.gloo.solo.io.JWTPrincipal |
JWTPrincipal
A JWT principal. To use this, JWT option MUST be enabled.
"claims": map<string, string>
"provider": string
"matcher": .rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher
| Field | Type | Description |
|---|---|---|
claims |
map<string, string> |
Set of claims that make up this principal. Commonly, the ‘iss’ and ‘sub’ or ‘email’ claims are used. If you specify the path for a nested claim, such as ‘parent.child.foo’, you must also specify a non-empty string value for the nested_claim_delimiter field in the Policy. |
provider |
string |
Verify that the JWT came from a specific provider. This usually can be left empty and a provider will be chosen automatically. |
matcher |
.rbac.options.gloo.solo.io.JWTPrincipal.ClaimMatcher | The matcher to use when evaluating this principal. By default, exact string comparison (EXACT_STRING) is used. |
ClaimMatcher
Used to specify how claims should be matched to the value.
| Name | Description |
|---|---|
EXACT_STRING |
The JWT claim value is a string that exactly matches the value. |
BOOLEAN |
The JWT claim value is a boolean that matches the value. |
LIST_CONTAINS |
The JWT claim value is a list that contains a string that exactly matches the value. |
Permissions
What permissions should be granted. An empty field means allow-all. If more than one field is added, all of them need to match.
"pathPrefix": string
"methods": []string
| Field | Type | Description |
|---|---|---|
pathPrefix |
string |
Paths that have this prefix will be allowed. |
methods |
[]string |
What http methods (GET, POST, …) are allowed. |