RBAC

The Envoy RBAC filter enables Rules Based Access Control on the http.Connection_Manager listener object. For more information and full configuration, the Envoy RBAC filter the official docs can be found here.

Enabling The RBAC Filter

To enable the RBAC filter we will be using the Greymatter CLI to make changes to our proxy objects within the API.

greymatter edit proxy <proxy-key>

This will bring up your favorite console editor in your shell. You'll want to note two field: active_proxy_filters and proxy_filters.

In the active_proxy_filters array, we will want to add another list item envoy.rbac. E.g., to have the Grey Matter metrics, Grey Matter observables, and Envoy RBAC filters enabled:

"active_proxy_filters": [
"gm.metrics",
"gm.observables",
"envoy.rbac"
],

Do not save and exit at this point as we've only told Grey Matter Sidecar which filters we wish to have running, but we haven't provided configuration for the observables filter. Under the proxy_filters object, you'll note a gm_observables object as well. This is where we are going to configure our new filter:

"envoy.rbac" : {
"rules": {
"action": 0,
"policies": {
"service-admin": {
"permissions": [
{
"any": true
}
],
"principals": [
{
"header": {
"name": "user_dn",
"exact_match": "cn=firstname.lastname"
}
}
]
},
"product-viewer": {
"permissions": [
{
"header": {
"name": ":method",
"exact_match": "GET"
}
}
],
"principals": [
{
"any": true
}
]
}
}
}
}

Once you have edited the configuration to your liking, save the newly modified JSON and the Grey Matter CLI will update your instance of Grey Matter Control API. Proxies with the key proxy-example will now receive their new configuration and hot reload with the new filter enabled.

With the filter enabled as shown above, all calls to this server must include the HTTP header USER_DN and be an approved principle to have complete access. In all other cases, otherwise access will be restricted to all methods with the exception of GET.

NOTE when running in the full mesh (not a stand-alone proxy) the USER_DN header can be set with the gm.inheaders filter. Typically this is done at the edge node, such that the appropriate headers are already populated for all calls into the mesh.

If the DN is not passed, you will see the following error message:

RBAC: access denied