yangminzhu/local RBAC

## local RBAC
# Start Envoy with RBAC filter, you need to use the latest upstream envoy with RBAC filter support.
# Note: the static config include a RBAC rule that only allows access to path "/allow"
$ envoy -l debug -c sample_rbac_config.yaml

# Start a test server listening on 10001
$ while true; do echo -e "HTTP/1.1 200 OK\n\n Welcome" | nc -l 127.0.0.1 10001 -q 1; done

# First let's try to access a path that is not included in the RBAC policy
# Check the response is: "RBAC: access denied". This means the request was denied by RBAC filter and didn't access the test server
$ curl http://127.0.0.1:9999/hello

# Then try to access the path that is included in the RBAC policy
# Check the response is "Welcome". This means the request passed the RBAC filter and accessed the test server
$ curl http://127.0.0.1:9999/allow

## sample_rbac_config.yaml
admin:
  access_log_path: /tmp/admin_access.log
  address:
    socket_address: { address: 0.0.0.0, port_value: 15000 }
static_resources:
  listeners:
  - name: listener_0
    address:
      socket_address: { address: 127.0.0.1, port_value: 9999 }
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
            - name: local_service
              domains: ["*"]
              routes:
              - match: { prefix: "/" }
                route: { cluster: some_service }
          http_filters:
          - name: envoy.filters.http.rbac
            config:
              rules:
                policies:
                  "only-allow":
                    permissions:
                      - any: true
                    principals:
                      - header: { name: ":path", exact_match: "/allow" }
          - name: envoy.router
  clusters:
  - name: some_service
    connect_timeout: 0.25s
    type: STATIC
    lb_policy: ROUND_ROBIN
    hosts: [{ socket_address: { address: 127.0.0.1, port_value: 10001 }}]
	# Start Envoy with RBAC filter, you need to use the latest upstream envoy with RBAC filter support.
	# Note: the static config include a RBAC rule that only allows access to path "/allow"
	$ envoy -l debug -c sample_rbac_config.yaml

	# Start a test server listening on 10001
	$ while true; do echo -e "HTTP/1.1 200 OK\n\n Welcome" \| nc -l 127.0.0.1 10001 -q 1; done

	# First let's try to access a path that is not included in the RBAC policy
	# Check the response is: "RBAC: access denied". This means the request was denied by RBAC filter and didn't access the test server
	$ curl http://127.0.0.1:9999/hello

	# Then try to access the path that is included in the RBAC policy
	# Check the response is "Welcome". This means the request passed the RBAC filter and accessed the test server
	$ curl http://127.0.0.1:9999/allow
	admin:
	access_log_path: /tmp/admin_access.log
	address:
	socket_address: { address: 0.0.0.0, port_value: 15000 }
	static_resources:
	listeners:
	- name: listener_0
	address:
	socket_address: { address: 127.0.0.1, port_value: 9999 }
	filter_chains:
	- filters:
	- name: envoy.http_connection_manager
	config:
	stat_prefix: ingress_http
	codec_type: AUTO
	route_config:
	name: local_route
	virtual_hosts:
	- name: local_service
	domains: ["*"]
	routes:
	- match: { prefix: "/" }
	route: { cluster: some_service }
	http_filters:
	- name: envoy.filters.http.rbac
	config:
	rules:
	policies:
	"only-allow":
	permissions:
	- any: true
	principals:
	- header: { name: ":path", exact_match: "/allow" }
	- name: envoy.router
	clusters:
	- name: some_service
	connect_timeout: 0.25s
	type: STATIC
	lb_policy: ROUND_ROBIN
	hosts: [{ socket_address: { address: 127.0.0.1, port_value: 10001 }}]