Metadata matcher

MetadataMatcher provides a general interface to check if a given value is matched in Metadata. It uses filter and path to retrieve the value from the Metadata and then check if it’s matched to the specified value.

For example, for the following Metadata:

  1. filter_metadata:
  2. envoy.filters.http.rbac:
  3. fields:
  4. a:
  5. struct_value:
  6. fields:
  7. b:
  8. struct_value:
  9. fields:
  10. c:
  11. string_value: pro
  12. t:
  13. list_value:
  14. values:
  15. - string_value: m
  16. - string_value: n

The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value “pro” from the Metadata which is matched to the specified prefix match.

  1. filter: envoy.filters.http.rbac
  2. path:
  3. - key: a
  4. - key: b
  5. - key: c
  6. value:
  7. string_match:
  8. prefix: pr

The following MetadataMatcher is matched as the code will match one of the string values in the list at the path [a, t].

  1. filter: envoy.filters.http.rbac
  2. path:
  3. - key: a
  4. - key: t
  5. value:
  6. list_match:
  7. one_of:
  8. string_match:
  9. exact: m

An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to enforce access control based on dynamic metadata in a request. See Permission and Principal.

type.matcher.v3.MetadataMatcher

[type.matcher.v3.MetadataMatcher proto]

  1. {
  2. "filter": "...",
  3. "path": [],
  4. "value": "{...}",
  5. "invert": "..."
  6. }

filter

(string, REQUIRED) The filter name to retrieve the Struct from the Metadata.

path

(repeated type.matcher.v3.MetadataMatcher.PathSegment, REQUIRED) The path to retrieve the Value from the Struct.

value

(type.matcher.v3.ValueMatcher, REQUIRED) The MetadataMatcher is matched if the value retrieved by path is matched to this value.

invert

(bool) If true, the match result will be inverted.

type.matcher.v3.MetadataMatcher.PathSegment

[type.matcher.v3.MetadataMatcher.PathSegment proto]

Specifies the segment in a path to retrieve value from Metadata. Note: Currently it’s not supported to retrieve a value from a list in Metadata. This means that if the segment key refers to a list, it has to be the last segment in a path.

  1. {
  2. "key": "..."
  3. }

key

(string, REQUIRED) If specified, use the key to retrieve the value in a Struct.