Introduction
The GSL Role Based Access Control #RBACFilter
provides service-level and method-level access control for a service. You can use it to allow or deny requests based on the action and whether a matching policy is found. Each policy defines permissions and matching rules for incoming requests. Visit the greymatter documentation for a full list of configurations.
This guide will implement a basic RBAC policy that matches against service accounts and routes for incoming requests. It will have rules that allow full access to the service for some users, but access restricted to one route for others.
Prerequisites
- A greymatter
1.8.x
installation - A service that can receive requests
1. Add the RBAC
Filter
Open the GSL configuration file for your service. Select the listener that you wish to apply the policies on. Inside the listener’s filter array (add one if its not already present), insert the gsl.#RBACFilter
definition like this:
"myListener": {
...
filters: [
gsl.#RBACFilter
]
}
2. Configure the RBAC
Filter
The RBAC filter requires some configuration values to function correctly. As a filter, GSL expects its configuration within the #options
property.
...
gsl.#RBACFilter & {
#options: {
// Values go here
}
}
...
The configuration for the filter takes place within the following field:
rules
- RBAC rules to be applied. If absent, no enforcing RBAC policy will be applied. If present and empty, deny all requests.
The rules field has two main configurations:
action
- Actions can be to ALLOW, DENY, or LOG for a reqest that matches a policy.policies
- Set of named policies to match against
For this example, you will create two policies: one for service adminstrators, and one for product viewers. The former has access to the entire service, while the latter can only read the service at paths with prefix /<URL route path>
, so long as the destination port is either 80
or 443
.
Set this configuration by including the following values:
...
gsl.#RBACFilter & {
#options: {
rules: {
action: "ALLOW"
policies: {
// Service admin role
"service-admin": {
permissions: [ { any: true } ]
principals: [
{ authenticated: principal_name: exact: "cluster.local/ns/default/sa/admin" },
{ authenticated: principal_name: exact: "cluster.local/ns/default/sa/superuser" },
]
}
// Product viewer role
"product-viewer": {
permissions: [ {
and_rules: rules: [
{
header: {
name: ":method"
string_match: exact: "GET"
}
},
{
url_path: path: prefix: "/<URL route path>"
},
{
or_rules: rules: [
{ destination_port: 80 },
{ destination_port: 443 },
]
}
]
} ]
principals: [ { any: true } ]
}
}
}
}
}
...
3. Verify Configuration
You can verify your configuration is valid with:
greymatter sync --dry-run
Once you commit and push your changes to your greymatter git repository, all requests to the service will be passed through the RBAC filter. Test this by attempting to access a route other than /<URL route path>
without one of the service admin roles. You should be denied access.
Additionally, with one of the specified adminsitrator roles, ensure that you can access the service without restriction.
Conclusion
By completing this guide, you have set up basic RBAC policies on your service! You can now use various properties to restrict access based on particular roles.
Next Steps
- To learn more about advanced configuration options, read the GSL #RBACFilter reference page.