RBAC

The Envoy RBAC filter enables Rules Based Access Control on the http.Connection_Manager listener object. For more information and full configuration, the Envoy RBAC filter the official docs can be found here.

Enabling The RBAC Filter

To enable the RBAC filter we will be using the Greymatter CLI to make changes to our listener objects within the API.

greymatter edit listener <listener-key>

This will bring up your favorite console editor in your shell. You'll want to note two field: active_http_filters and http_filters.

In the active_http_filters array, we will want to add another list item envoy.rbac. E.g., to have the Grey Matter metrics, Grey Matter observables, and Envoy RBAC filters enabled:

"active_http_filters": [
"gm.metrics",
"gm.observables",
"envoy.rbac"
],

Note: this can also be done in the proxy object using the active\_proxy\_filters and proxy\_filters options. This will set the filter on every listener of the sidecar.

Do not save and exit at this point as we've only told Grey Matter Sidecar which filters we wish to have running, but we haven't provided configuration for the observables filter. Under the http_filters object, you'll note a gm_observables object as well. This is where we are going to configure our new filter:

"envoy_rbac" : {
"rules": {
"action": 0,
"policies": {
"service-admin": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"header": {
"name": "user_dn",
"exact_match": "cn=firstname.lastname"
}
}
]
},
"product-viewer": {
"permissions": [
{
"header": {
"name": ":method",
"exact_match": "GET"
}
}
],
"principals": [
{
"any": true
}
]
}
}
}
}

Once you have edited the configuration to your liking, save the newly modified JSON and the Grey Matter CLI will update your instance of Grey Matter Control API. The listener will now receive the new configuration and hot reload with the new filter enabled.

With the filter enabled as shown above, all calls to this server must include the HTTP header USER_DN and be an approved principle to have complete access. In all other cases, otherwise access will be restricted to all methods with the exception of GET.

NOTE when running in the full mesh (not a stand-alone proxy) the USER_DN header can be set with the gm.inheaders filter. Typically this is done at the edge node, such that the appropriate headers are already populated for all calls into the mesh.

If the DN is not passed, you will see the following error message:

RBAC: access denied