Role Based Access Control (RBAC) Filter

The RBAC filter is used to authorize actions (permissions) by identified downstream clients (principals). This is useful to explicitly manage callers to an application and protect it from unexpected or forbidden agents. The filter supports configuration with either a safe-list (ALLOW) or block-list (DENY) set of policies based off properties of the connection (IPs, ports, SSL subject) as well as the incoming request’s HTTP headers. This filter also supports policy in both enforcement and shadow mode, shadow mode won’t effect real users, it is used to test that a new set of policies work before rolling out to production.

  • v2 API reference
  • This filter should be configured with the name envoy.filters.http.rbac.

Per-Route Configuration

The RBAC filter configuration can be overridden or disabled on a per-route basis by providing a RBACPerRoute configuration on the virtual host, route, or weighted cluster.

Statistics

The RBAC filter outputs statistics in the http..rbac. namespace. The stat prefix comes from the owning HTTP connection manager.

NameTypeDescription
allowedCounterTotal requests that were allowed access
deniedCounterTotal requests that were denied access
shadow_allowedCounterTotal requests that would be allowed access by the filter’s shadow rules
shadow_deniedCounterTotal requests that would be denied access by the filter’s shadow rules

Dynamic Metadata

The RBAC filter emits the following dynamic metadata.

NameTypeDescription
shadow_effective_policy_idstringThe effective shadow policy ID matching the action (if any).
shadow_engine_resultstringThe engine result for the shadow rules (i.e. either allowed or denied).