Light Dark Auto

Configuration details for the RBAC filter.

RBAC

The Envoy RBAC filter enables Rules Based Access Control on the http. Connection_Manager listener object. More information on the Envoy RBAC filter can be found here at the official docs.

Enable the RBAC Filter

To enable the RBAC filter, use the greymatter CLI:

greymatter edit proxy --proxy-key $PROXY_KEY

This will bring up your favorite console editor in your shell. You'll want to note two fields: active_proxy_filters and proxy_filters.

Follow this guide if you need to install the Grey Matter CLI.

{% page-ref page="../../../../guides/commands-cli/" %}

Add Another List Item

In the active_proxy_filters array, add another list item:

  "active_proxy_filters": [
    "gm.metrics",
    "gm.observables"
  ],

Under the proxy_filters object, you'll note a gm_observables object as well. This is where you'll need to configure your new filter:

"envoy_rbac": {
    "rules": {
        "action": 0,
        "policies": {
            "service-admin": {
                "permissions": [{
                    "any": true
                }],
                "principals": [{
                    "header": {
                        "name": "user_dn",
                        "exact_match": "cn=firstname.lastname"
                    }
                }]
            },
            "product-viewer": {
                "permissions": [{
                    "header": {
                        "name": ":method",
                        "exact_match": "GET"
                    }
                }],
                "principals": [{
                    "any": true
                }]
            }
        }
    }
}

Once you've edited the configuration to your liking, save the newly modified JSON and the Grey Matter CLI will update your instance of Grey Matter Control API. Proxies with the key proxy-example will now receive their new configuration and hot reload with the new filter enabled.

Pass the HTTP Header user_dn to All Requests

With the filter enabled, you must now pass the HTTP header user_dn to all requests, otherwise access will be restricted to all methods with the exception of GET.