istio.io/istio@v0.0.0-20240520182934-d79c90f27776/pkg/workloadapi/security/authorization.proto (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  syntax = "proto3";
    16  
    17  package istio.security;
    18  option go_package="pkg/workloadapi/security";
    19  
    20  import "google/protobuf/empty.proto";
    21  
    22  message Authorization {
    23    string name = 1;
    24    string namespace = 2;
    25  
    26    // Determine the scope of this RBAC policy.
    27    // If set to NAMESPACE, the 'namespace' field value will be used.
    28    Scope scope = 3;
    29    // The action to take if the request is matched with the rules.
    30    // Default is ALLOW if not specified.
    31    Action action = 4;
    32    // Set of RBAC policy groups each containing its rules.
    33    // If at least one of the groups is matched the policy action will
    34    // take place.
    35    // Groups are OR-ed.
    36    repeated Group groups = 5;
    37  }
    38  
    39  message Group {
    40    // Rules are OR-ed (e.g. ANY rule can match)
    41    // This is a generic form of the authz policy's to, from and when
    42    repeated Rules rules = 1;
    43  }
    44  
    45  message Rules {
    46    // The logical behavior between the matches (if there are more than one)
    47  //  MatchBehavior match_behavior = 1;
    48  
    49    // Conditions within a rule are AND-ed (e.g. ALL conditions must be true)
    50    repeated Match matches = 2;
    51  }
    52  
    53  message Match {
    54    // Values of specific type are ORed
    55    // If multiple types are set, they are ANDed
    56  
    57    repeated StringMatch namespaces = 1;
    58    repeated StringMatch not_namespaces = 2;
    59  
    60    repeated StringMatch principals = 3;
    61    repeated StringMatch not_principals = 4;
    62  
    63    repeated Address source_ips = 5;
    64    repeated Address not_source_ips = 6;
    65  
    66    repeated Address destination_ips = 7;
    67    repeated Address not_destination_ips = 8;
    68  
    69    repeated uint32 destination_ports = 9;
    70    repeated uint32 not_destination_ports = 10;
    71  }
    72  
    73  message Address {
    74    bytes address = 1;
    75    uint32 length = 2;
    76  }
    77  
    78  message StringMatch {
    79    oneof match_type {
    80      // exact string match
    81      string exact = 1;
    82      // prefix-based match
    83      string prefix = 2;
    84  
    85      // suffix-based match
    86      string suffix = 3;
    87  
    88      google.protobuf.Empty presence = 4;
    89    }
    90  }
    91  
    92  enum Scope {
    93    // ALL means that the authorization policy will be applied to all workloads
    94    // in the mesh (any namespace).
    95    GLOBAL = 0;
    96    // NAMESPACE means that the policy will only be applied to workloads in a
    97    // specific namespace.
    98    NAMESPACE = 1;
    99    // WORKLOAD_SELECTOR means that the policy will only be applied to specific
   100    // workloads that were selected by their labels.
   101    WORKLOAD_SELECTOR = 2;
   102  }
   103  
   104  enum Action {
   105    // Allow the request if it matches with the rules.
   106    ALLOW = 0;
   107    // Deny the request if it matches with the rules.
   108    DENY = 1;
   109  }