1 // Copyright 2021 The gRPC Authors
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
7 // http://www.apache.org/licenses/LICENSE-2.0
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
19 // Peer specifies attributes of a peer. Fields in the Peer are ANDed together, once
20 // we support multiple fields in the future.
22 // Optional. A list of peer identities to match for authorization. The principals
23 // are one of, i.e., it matches if one of the principals matches. The field
24 // supports Exact, Prefix, Suffix, and Presence matches.
25 // - Exact match: "abc" will match on value "abc".
26 // - Prefix match: "abc*" will match on value "abc" and "abcd".
27 // - Suffix match: "*abc" will match on value "abc" and "xabc".
28 // - Presence match: "*" will match when the value is not empty.
29 repeated string principals = 1;
32 // Specification of HTTP header match attributes.
34 // Required. The name of the HTTP header to match. The following headers are *not*
35 // supported: "hop-by-hop" headers (e.g., those listed in "Connection" header),
36 // HTTP/2 pseudo headers (":"-prefixed), the "Host" header, and headers prefixed
40 // Required. A list of header values to match. The header values are ORed together,
41 // i.e., it matches if one of the values matches. This field supports Exact,
42 // Prefix, Suffix, and Presence match. Multi-valued headers are considered a single
43 // value with commas added between values.
44 // - Exact match: "abc" will match on value "abc".
45 // - Prefix match: "abc*" will match on value "abc" and "abcd".
46 // - Suffix match: "*abc" will match on value "abc" and "xabc".
47 // - Presence match: "*" will match when the value is not empty.
48 repeated string values = 2;
51 // Request specifies attributes of a request. Fields in the Request are ANDed
54 // Optional. A list of paths to match for authorization. This is the fully
55 // qualified name in the form of "/package.service/method". The paths are ORed
56 // together, i.e., it matches if one of the paths matches. This field supports
57 // Exact, Prefix, Suffix, and Presence matches.
58 // - Exact match: "abc" will match on value "abc".
59 // - Prefix match: "abc*" will match on value "abc" and "abcd".
60 // - Suffix match: "*abc" will match on value "abc" and "xabc".
61 // - Presence match: "*" will match when the value is not empty.
62 repeated string paths = 1;
64 // Optional. A list of HTTP header key/value pairs to match against, for
65 // potentially advanced use cases. The headers are ANDed together, i.e., it matches
66 // only if *all* the headers match.
67 repeated Header headers = 3;
70 // Specification of rules.
72 // Required. The name of an authorization rule.
73 // It is mainly for monitoring and error message generation.
76 // Optional. If not set, no checks will be performed against the source. An empty
77 // rule is always matched (i.e., both source and request are empty).
80 // Optional. If not set, no checks will be performed against the request. An empty
81 // rule is always matched (i.e., both source and request are empty).
85 // AuthorizationPolicy defines which principals are permitted to access which
86 // resource. Resources are RPC methods scoped by services.
88 // In the following yaml policy example, a peer identity from ["admin1", "admin2", "admin3"]
89 // is authorized to access any RPC methods in pkg.service, and peer identity "dev" is
90 // authorized to access the "foo" and "bar" RPC methods.
92 // name: example-policy
94 // - name: admin-access
97 // - "spiffe://foo.com/sa/admin1"
98 // - "spiffe://foo.com/sa/admin2"
99 // - "spiffe://foo.com/sa/admin3"
101 // paths: ["/pkg.service/*"]
102 // - name: dev-access
104 // principals: ["spiffe://foo.com/sa/dev"]
106 // paths: ["/pkg.service/foo", "/pkg.service/bar"]
108 message AuthorizationPolicy {
109 // Required. The name of an authorization policy.
110 // It is mainly for monitoring and error message generation.
113 // Optional. List of deny rules to match. If a request matches any of the deny
114 // rules, then it will be denied. If none of the deny rules matches or there are
115 // no deny rules, the allow rules will be evaluated.
116 repeated Rule deny_rules = 2;
118 // Required. List of allow rules to match. The allow rules will only be evaluated
119 // after the deny rules. If a request matches any of the allow rules, then it will
120 // allowed. If none of the allow rules matches, it will be denied.
121 repeated Rule allow_rules = 3;