Last active
May 11, 2023 16:16
-
-
Save dfawley/76b3f2001dff3c07b50c667f37fcc7a7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "title": "AuthorizationPolicy", | |
| "definitions": { | |
| "rule": { | |
| "description": "Specification of rules. An empty rule is always matched (i.e., both source and request are empty)", | |
| "type" : "object", | |
| "properties": { | |
| "name": { | |
| "description": "The name of an authorization rule. This name should be unique within the list of deny (or allow) rules. It is mainly for monitoring and error message generation.", | |
| "type": "string" | |
| }, | |
| "source": { | |
| "description": "Specifies attributes of a peer. Fields in the source are ANDed together, once we support multiple fields in the future. If not set, no checks will be performed against the source.", | |
| "type": "object", | |
| "properties": { | |
| "principals": { | |
| "description": "A list of peer identities to match for authorization. The principals are one of, i.e., it matches if one of the principals matches. The field supports Exact, Prefix, Suffix and Presence matches. - Exact match: \"abc\" will match on value \"abc\". - Prefix match: \"abc*\" will match on value \"abc\" and \"abcd\". - Suffix match: \"*abc\" will match on value \"abc\" and \"xabc\". - Presence match: \"*\" will match when the value is not empty.", | |
| "type": "array", | |
| "items": { | |
| "type": "string" | |
| } | |
| } | |
| } | |
| }, | |
| "request": { | |
| "description": "Specifies attributes of a request. Fields in the request are ANDed together. If not set, no checks will be performed against the request.", | |
| "type": "object", | |
| "properties": { | |
| "paths": { | |
| "description": "A list of paths to match for authorization. This is the fully qualified name in the form of \"/package.service/method\". The paths are ORed together, i.e., it matches if one of the paths matches. This field supports Exact, Prefix, Suffix and Presence matches. - Exact match: \"abc\" will match on value \"abc\". - Prefix match: \"abc*\" will match on value \"abc\" and \"abcd\". - Suffix match: \"*abc\" will match on value \"abc\" and \"xabc\". - Presence match: \"*\" will match when the value is not empty.", | |
| "type": "array", | |
| "items": { | |
| "type": "string" | |
| } | |
| }, | |
| "headers": { | |
| "description": "A list of HTTP header key/value pairs to match against, for potentially advanced use cases. The headers are ANDed together, i.e., it matches only if *all* the headers match.", | |
| "type": "array", | |
| "items": { | |
| "type": "object", | |
| "properties": { | |
| "key": { | |
| "description": "The name of the HTTP header to match. The following headers are *not* supported: the \"Host\" header, \"hop-by-hop\" headers (e.g. those listed in \"Connection\" header), HTTP/2 pseudo headers (\":\"-prefixed) and headers prefixed with \"grpc-\".", | |
| "type": "string" | |
| }, | |
| "values": { | |
| "description": "A list of header values to match. The header values are ORed together,i.e., it matches if one of the values matches. Multi-valued headers are considered a single value with commas added between values. This field supports Exact, Prefix, Suffix and Presence match. - Exact match: \"abc\" will match on value \"abc\". - Prefix match: \"abc*\" will match on value \"abc\" and \"abcd\". - Suffix match: \"*abc\" will match on value \"abc\" and \"xabc\". - Presence match: \"*\" will match when the value is not empty.", | |
| "type": "array", | |
| "items": { | |
| "type": "string" | |
| } | |
| } | |
| }, | |
| "required": ["key", "values"] | |
| } | |
| } | |
| } | |
| } | |
| }, | |
| "required": ["name"] | |
| } | |
| }, | |
| "description": "AuthorizationPolicy defines which principals are permitted to access which resource. Resources are RPC methods scoped by services.", | |
| "type": "object", | |
| "properties": { | |
| "name": { | |
| "description": "The name of an authorization policy. It is mainly for monitoring and error message generation.", | |
| "type": "string" | |
| }, | |
| "deny_rules": { | |
| "description": "List of deny rules to match. If a request matches any of the deny rules, then it will be denied. If none of the deny rules matches or there are no deny rules, the allow rules will be evaluated.", | |
| "type": "array", | |
| "items": { | |
| "$ref": "#/definitions/rule" | |
| } | |
| }, | |
| "allow_rules": { | |
| "description": "List of allow rules to match. The allow rules will only be evaluated after the deny rules. If a request matches any of the allow rules, then it will allowed. If none of the allow rules matches, it will be denied.", | |
| "type": "array", | |
| "items": { | |
| "$ref": "#/definitions/rule" | |
| } | |
| } | |
| }, | |
| "required": ["name", "allow_rules"] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment