ext_authzv3

package

v1.36.11-2026011520535... Latest Latest Go to latest Published: unknown License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

Repository URL not available.

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
type ExtAuthz
type ExtAuthz_builder
- func (b0 ExtAuthz_builder) Build() *ExtAuthz

Constants ¶

This section is empty.

Variables ¶

View Source

var File_envoy_extensions_filters_network_ext_authz_v3_ext_authz_proto protoreflect.FileDescriptor

Functions ¶

This section is empty.

Types ¶

type ExtAuthz ¶

type ExtAuthz struct {

	// The prefix to use when emitting statistics.
	StatPrefix string `protobuf:"bytes,1,opt,name=stat_prefix,json=statPrefix,proto3" json:"stat_prefix,omitempty"`
	// The external authorization gRPC service configuration.
	// The default timeout is set to 200ms by this filter.
	GrpcService *v3.GrpcService `protobuf:"bytes,2,opt,name=grpc_service,json=grpcService,proto3" json:"grpc_service,omitempty"`
	// The filter's behaviour in case the external authorization service does
	// not respond back. When it is set to true, Envoy will also allow traffic in case of
	// communication failure between authorization service and the proxy.
	// Defaults to false.
	FailureModeAllow bool `protobuf:"varint,3,opt,name=failure_mode_allow,json=failureModeAllow,proto3" json:"failure_mode_allow,omitempty"`
	// Specifies if the peer certificate is sent to the external service.
	//
	// When this field is true, Envoy will include the peer X.509 certificate, if available, in the
	// :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
	IncludePeerCertificate bool `` /* 130-byte string literal not displayed */
	// API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
	// version of Check{Request,Response} used on the wire.
	TransportApiVersion v3.ApiVersion `` /* 158-byte string literal not displayed */
	// Specifies if the filter is enabled with metadata matcher.
	// If this field is not specified, the filter will be enabled for all requests.
	FilterEnabledMetadata *v31.MetadataMatcher `` /* 126-byte string literal not displayed */
	// Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
	// :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
	// The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
	BootstrapMetadataLabelsKey string `` /* 143-byte string literal not displayed */
	// Specifies if the TLS session level details like SNI are sent to the external service.
	//
	// When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
	// :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
	IncludeTlsSession bool `protobuf:"varint,8,opt,name=include_tls_session,json=includeTlsSession,proto3" json:"include_tls_session,omitempty"`
	// When set to “true“, the filter will send a TLS “access_denied(49)“ alert before closing
	// the connection when authorization is denied. This provides better visibility to TLS clients
	// about the reason for connection closure. This alert is only sent for TLS connections. The
	// non-TLS connections will be closed without sending an alert.
	//
	// Defaults to “false“.
	SendTlsAlertOnDenial bool `` /* 128-byte string literal not displayed */
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
	// is passed as an opaque “protobuf::Struct“.
	//
	// For example, if the “proxy_protocol“ listener filter is used and populates TLV metadata,
	// then the following will pass that metadata to the authorization server for making decisions
	// based on proxy protocol information.
	//
	// .. code-block:: yaml
	//
	//	metadata_context_namespaces:
	//	- envoy.filters.listener.proxy_protocol
	MetadataContextNamespaces []string `` /* 139-byte string literal not displayed */
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
	// is passed as a “protobuf::Any“.
	//
	// This works similarly to “metadata_context_namespaces“ but allows Envoy and the ext_authz server to share
	// the protobuf message definition in order to perform safe parsing.
	TypedMetadataContextNamespaces []string `` /* 156-byte string literal not displayed */
	// contains filtered or unexported fields
}

External Authorization filter calls out to an external service over the gRPC Authorization API defined by :ref:`CheckRequest <envoy_v3_api_msg_service.auth.v3.CheckRequest>`. A failed check will cause this filter to close the TCP connection. [#next-free-field: 12]

func (*ExtAuthz) ClearFilterEnabledMetadata ¶

func (x *ExtAuthz) ClearFilterEnabledMetadata()

func (*ExtAuthz) ClearGrpcService ¶

func (x *ExtAuthz) ClearGrpcService()

func (*ExtAuthz) GetBootstrapMetadataLabelsKey ¶

func (x *ExtAuthz) GetBootstrapMetadataLabelsKey() string

func (*ExtAuthz) GetFailureModeAllow ¶

func (x *ExtAuthz) GetFailureModeAllow() bool

func (*ExtAuthz) GetFilterEnabledMetadata ¶

func (x *ExtAuthz) GetFilterEnabledMetadata() *v31.MetadataMatcher

func (*ExtAuthz) GetGrpcService ¶

func (x *ExtAuthz) GetGrpcService() *v3.GrpcService

func (*ExtAuthz) GetIncludePeerCertificate ¶

func (x *ExtAuthz) GetIncludePeerCertificate() bool

func (*ExtAuthz) GetIncludeTlsSession ¶

func (x *ExtAuthz) GetIncludeTlsSession() bool

func (*ExtAuthz) GetMetadataContextNamespaces ¶

func (x *ExtAuthz) GetMetadataContextNamespaces() []string

func (*ExtAuthz) GetSendTlsAlertOnDenial ¶

func (x *ExtAuthz) GetSendTlsAlertOnDenial() bool

func (*ExtAuthz) GetStatPrefix ¶

func (x *ExtAuthz) GetStatPrefix() string

func (*ExtAuthz) GetTransportApiVersion ¶

func (x *ExtAuthz) GetTransportApiVersion() v3.ApiVersion

func (*ExtAuthz) GetTypedMetadataContextNamespaces ¶

func (x *ExtAuthz) GetTypedMetadataContextNamespaces() []string

func (*ExtAuthz) HasFilterEnabledMetadata ¶

func (x *ExtAuthz) HasFilterEnabledMetadata() bool

func (*ExtAuthz) HasGrpcService ¶

func (x *ExtAuthz) HasGrpcService() bool

func (*ExtAuthz) ProtoMessage ¶

func (*ExtAuthz) ProtoMessage()

func (*ExtAuthz) ProtoReflect ¶

func (x *ExtAuthz) ProtoReflect() protoreflect.Message

func (*ExtAuthz) Reset ¶

func (x *ExtAuthz) Reset()

func (*ExtAuthz) SetBootstrapMetadataLabelsKey ¶

func (x *ExtAuthz) SetBootstrapMetadataLabelsKey(v string)

func (*ExtAuthz) SetFailureModeAllow ¶

func (x *ExtAuthz) SetFailureModeAllow(v bool)

func (*ExtAuthz) SetFilterEnabledMetadata ¶

func (x *ExtAuthz) SetFilterEnabledMetadata(v *v31.MetadataMatcher)

func (*ExtAuthz) SetGrpcService ¶

func (x *ExtAuthz) SetGrpcService(v *v3.GrpcService)

func (*ExtAuthz) SetIncludePeerCertificate ¶

func (x *ExtAuthz) SetIncludePeerCertificate(v bool)

func (*ExtAuthz) SetIncludeTlsSession ¶

func (x *ExtAuthz) SetIncludeTlsSession(v bool)

func (*ExtAuthz) SetMetadataContextNamespaces ¶

func (x *ExtAuthz) SetMetadataContextNamespaces(v []string)

func (*ExtAuthz) SetSendTlsAlertOnDenial ¶

func (x *ExtAuthz) SetSendTlsAlertOnDenial(v bool)

func (*ExtAuthz) SetStatPrefix ¶

func (x *ExtAuthz) SetStatPrefix(v string)

func (*ExtAuthz) SetTransportApiVersion ¶

func (x *ExtAuthz) SetTransportApiVersion(v v3.ApiVersion)

func (*ExtAuthz) SetTypedMetadataContextNamespaces ¶

func (x *ExtAuthz) SetTypedMetadataContextNamespaces(v []string)

func (*ExtAuthz) String ¶

func (x *ExtAuthz) String() string

type ExtAuthz_builder ¶

type ExtAuthz_builder struct {

	// The prefix to use when emitting statistics.
	StatPrefix string
	// The external authorization gRPC service configuration.
	// The default timeout is set to 200ms by this filter.
	GrpcService *v3.GrpcService
	// The filter's behaviour in case the external authorization service does
	// not respond back. When it is set to true, Envoy will also allow traffic in case of
	// communication failure between authorization service and the proxy.
	// Defaults to false.
	FailureModeAllow bool
	// Specifies if the peer certificate is sent to the external service.
	//
	// When this field is true, Envoy will include the peer X.509 certificate, if available, in the
	// :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
	IncludePeerCertificate bool
	// API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
	// version of Check{Request,Response} used on the wire.
	TransportApiVersion v3.ApiVersion
	// Specifies if the filter is enabled with metadata matcher.
	// If this field is not specified, the filter will be enabled for all requests.
	FilterEnabledMetadata *v31.MetadataMatcher
	// Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
	// :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
	// The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
	BootstrapMetadataLabelsKey string
	// Specifies if the TLS session level details like SNI are sent to the external service.
	//
	// When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
	// :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
	IncludeTlsSession bool
	// When set to “true“, the filter will send a TLS “access_denied(49)“ alert before closing
	// the connection when authorization is denied. This provides better visibility to TLS clients
	// about the reason for connection closure. This alert is only sent for TLS connections. The
	// non-TLS connections will be closed without sending an alert.
	//
	// Defaults to “false“.
	SendTlsAlertOnDenial bool
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
	// is passed as an opaque “protobuf::Struct“.
	//
	// For example, if the “proxy_protocol“ listener filter is used and populates TLV metadata,
	// then the following will pass that metadata to the authorization server for making decisions
	// based on proxy protocol information.
	//
	// .. code-block:: yaml
	//
	//	metadata_context_namespaces:
	//	- envoy.filters.listener.proxy_protocol
	MetadataContextNamespaces []string
	// Specifies a list of metadata namespaces whose values, if present, will be passed to the
	// ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
	// is passed as a “protobuf::Any“.
	//
	// This works similarly to “metadata_context_namespaces“ but allows Envoy and the ext_authz server to share
	// the protobuf message definition in order to perform safe parsing.
	TypedMetadataContextNamespaces []string
	// contains filtered or unexported fields
}

func (ExtAuthz_builder) Build ¶

func (b0 ExtAuthz_builder) Build() *ExtAuthz

Source Files ¶

ext_authz.pb.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL