rbac: add support for matching on route metadata #36957
Conversation
|
CC @envoyproxy/api-shepherds: Your approval is needed for changes made to |
agrawroh
force-pushed
the
route_meta
branch
3 times, most recently
from
16908e6
to
554622a
Compare
|
@yanavlasov @wbpcode Could you please help review this? |
Signed-off-by: Rohit Agrawal <[email protected]>
@wbpcode Thank you so much for taking a look. I addressed your feedback and am happy to do the changes as needed. |
Signed-off-by: Rohit Agrawal <[email protected]>
|
/retest |
1 similar comment
|
/retest |
Signed-off-by: Rohit Agrawal <[email protected]>
|
Thanks for the update. Some new new minor comments are flushed. cc @yanavlasov for a second pass for this rbac change. :) |
Signed-off-by: Rohit Agrawal <[email protected]>
Signed-off-by: Rohit Agrawal <[email protected]>
Signed-off-by: Rohit Agrawal <[email protected]>
|
/retest |
|
LGM, will wait for @wbpcode approval and then merge. /wait-any |
Signed-off-by: Rohit Agrawal <[email protected]>
|
/retest |
1 similar comment
|
/retest |
Signed-off-by: Rohit Agrawal <[email protected]>
Signed-off-by: Rohit Agrawal <[email protected]>
Signed-off-by: Rohit Agrawal <[email protected]>
| type.matcher.v3.MetadataMatcher metadata = 7 [ | ||
| deprecated = true, | ||
| (envoy.annotations.deprecated_at_minor_version) = "3.0", | ||
| (envoy.annotations.disallowed_by_default) = true |
There was a problem hiding this comment.
Thanks so much. But I think we doesn't need to add this (envoy.annotations.disallowed_by_default) now.
| type.matcher.v3.MetadataMatcher metadata = 7 [ | ||
| deprecated = true, | ||
| (envoy.annotations.deprecated_at_minor_version) = "3.0", | ||
| (envoy.annotations.disallowed_by_default) = true |
| TEST(PortRangeMatcher, EdgeCases) { | ||
| Envoy::Network::MockConnection conn; | ||
| Envoy::Http::TestRequestHeaderMapImpl headers; | ||
| NiceMock<StreamInfo::MockStreamInfo> info; | ||
|
|
||
| // Test boundary conditions | ||
| envoy::type::v3::Int32Range range; | ||
| range.set_start(1); | ||
| range.set_end(65535); | ||
|
|
||
| // Test port at start of range | ||
| Envoy::Network::Address::InstanceConstSharedPtr addr1 = | ||
| Envoy::Network::Utility::parseInternetAddressNoThrow("1.2.3.4", 1, false); | ||
| info.downstream_connection_info_provider_->setLocalAddress(addr1); | ||
| checkMatcher(PortRangeMatcher(range), true, conn, headers, info); | ||
|
|
||
| // Test port at end of range - 1 | ||
| Envoy::Network::Address::InstanceConstSharedPtr addr2 = |
There was a problem hiding this comment.
Seems these are unreleated to this PR?
|
/wait |
Background
This PR adds a new option called
sourced_metadatato RBAC permissions and principals which allows specifying an optional source for the metadata to be matched. Currently it only supports Dynamic Metadata and Route Metadata. More options could be added later.Fixes: #34913
Commit Message: rbac: add support for matching on route metadata
Additional Description: This PR adds a new option called
sourced_metadatato RBAC permissions and principals which allows specifying an optional source for the metadata to be matched.Risk Level: Low
Testing: Added Unit & Integration Tests
Docs Changes: Added
Release Notes: Added