rbac: add unified matcher for RBAC filters

[zhxie]

Title: rbac: add unified matcher for RBAC filters

Description:

There are tons of issues marked as help wanted around RBAC. Some of them asking for new matchers (#4455, #6193, #15631), some of them requesting a unified, flexible and efficient matching mechanism for RBAC (#5569, #7918, #9376, #11832, #12285, #18064). Now, we already have a unified matching API, which can match network inputs (IP, port, SNI, protocol) and HTTP inputs (headers and trailers), almost everything what RBAC can handle now, with different matchers (list, map, trie) in any combinations.

There are some works to do:

1. Adapt connection/headers/stream info-based matcher. We currently do not have matchers for stream info like metadata and authentication, so we have to add one.
2. Add a custom matcher for CEL.
3. Add unified matcher for RBAC filters

I think it is a good first step to polish RBAC filters, we can merge connection/headers/stream info-based rules and CELs into an elegant and simple match tree, and we can also benefit from unified matcher and custom matchers, avoiding writing complex lengthy configurations and over and over again matching in the codes.

[zhxie]

I may help to add unified matcher and there are still a lot of work to do in the future for RBAC like a flexible action.
cc @htuch

[zhxie]

I have done some code works but I also have some comments on my exploration,

1. I would like to add a matcher in envoy.extensions.filters.network.rbac.v3.RBAC and envoy.extensions.filters.network.rbac.v3.RBAC, and the syntax of rules will be changed (see the code block below). It is obviously that the mapping relation action->policy name->policy will be changed to matcher->matcher name + action.
2. There will be no difference between permissions and principals (also see the code block below).
3. Action will be reconstructed, and there will be no LOG action. The LOG behavior allows matched requests to set dynamic metadata to true and unmatched to false, but in the unified matcher, an on_no_match field can catch all unmatched requests.
4. Not all network inputs can be supported in RBAC network filter. The network matching data and inputs require a ConnectionSocket while a network filter can only provide a Connection, SourceType, TransportProtocol and ApplicationProcol cannot be supported. @kyessenov do you have any workarounds?

May I ask for your thoughts on these changes? @htuch

http_filters:
- name: envoy.filters.http.rbac
  typed_config:
    "@type": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC
    # rules:
    #   action: ALLOW
    #   policies:
    #     "deny-http":
    #       permissions:
    #       - destination_port: 80
    #       principals:
    #       - any: true
    matcher:
      matcher_tree:
        input:
          name: envoy.matching.inputs.source_port
          typed_config:
            "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourcePortInput
        exact_match_map:
          map:
            "80":
              action:
                name: action # This name is the registered name for registry factory lookup.
                typed_config:
                  "@type": type.googleapis.com/envoy.config.rbac.v3.Action
                  name: deny-http # Alternative of policy name.
                  allow: false
      on_no_match: # If on_no_match is not set, deny all unmatched requests.
        action:
          name: action
          typed_config:
            "@type": type.googleapis.com/envoy.config.rbac.v3.Action
            name: allow-all
            allow: true
            log: true # LOG behavior change

[kyessenov]

Re: network inputs. Yes, I'm aware. We can implement those inputs for HTTP context using StreamInfo. I'll take a stab at that soon-ish.

…

On Thu, Apr 7, 2022 at 11:22 PM Xie Zhihao ***@***.***> wrote: I have done some code works but I also have some comments on my exploration, 1. I would like to add a matcher in envoy.extensions.filters.network.rbac.v3.RBAC and envoy.extensions.filters.network.rbac.v3.RBAC, and the syntax of rules will be changed (see the code block below). It is obviously that the mapping relation action->policy name->policy will be changed to matcher->matcher name + action. 2. There will be no difference between permissions and principals (also see the code block below). 3. Action will be reconstructed, and there will be no LOG action. The LOG behavior allows matched requests to set dynamic metadata to true and unmatched to false, but in the unified matcher, an on_no_match field can catch all unmatched requests. 4. Not all network inputs can be supported in RBAC network filter. The network matching data and inputs require a ConnectionSocket while a network filter can only provide a Connection, SourceType, TransportProtocol and ApplicationProcol cannot be supported. @kyessenov <https://github.com/kyessenov> do you have any workarounds? May I ask for your thoughts on these changes? @htuch <https://github.com/htuch> http_filters: - name: envoy.filters.http.rbac typed_config: ***@***.***": type.googleapis.com/envoy.extensions.filters.http.rbac.v3.RBAC # rules: # action: ALLOW # policies: # "deny-http": # permissions: # - destination_port: 80 # principals: # - any: true matcher: matcher_tree: input: name: envoy.matching.inputs.source_port typed_config: ***@***.***": type.googleapis.com/envoy.extensions.matching.common_inputs.network.v3.SourcePortInput exact_match_map: map: "80": action: name: action # This name is the registered name for registry factory lookup. typed_config: ***@***.***": type.googleapis.com/envoy.config.rbac.v3.Action name: deny-http # Alternative of policy name. on_no_match: # If on_no_match is not set, deny all unmatched requests. action: name: action typed_config: ***@***.***": type.googleapis.com/envoy.config.rbac.v3.Action name: allow-all allow: true log: true # LOG behavior change — Reply to this email directly, view it on GitHub <#20623 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACIYRRQFOPIU4YCDRW7STODVD7GBHANCNFSM5SHXOYXQ> . You are receiving this because you were mentioned.Message ID: ***@***.***>

[zhxie]

@htuch shall we make a small change, adding a matcher to the policy to provide with an alternative choice for policy matching which will not affect the "single action" mechanism,

rules:
  action: ALLOW
  policies:
    "policy-name":
      # permissions:
      # - destination_port: 80
      # principals:
      # - any: true
      matcher:
        matcher_tree:
          input:
            name: destination_port
            typed_config:
              '@type': type.googleapis.com/envoy.type.matcher.v3.DestinationPortMatchInput
          exact_match_map:
            map:
              "80":
                action:
                  name: action
                  typed_config:
                    '@type': type.googleapis.com/envoy.config.rbac.v3.RBACAction

or shall we make a big change, replacing the whole rules with matcher to support "multiple action"?

matcher:
  matcher_tree:
    input:
      name: destination_port
      typed_config:
        '@type': type.googleapis.com/envoy.type.matcher.v3.DestinationPortMatchInput
    exact_match_map:
      map:
        "80":
          action:
            name: action
            typed_config:
              '@type': type.googleapis.com/envoy.config.rbac.v3.RBACAction
              name: allow-http
              action: ALLOW
  on_no_match:
    action:
      name: action
      typed_config:
        '@type': type.googleapis.com/envoy.config.rbac.v3.RBACAction
        name: deny-by-default
        action: DENY

[htuch]

I think the second model is more flexible. I think the first was the result of deliberative consideration, CC @qiwzhang, so I'll let those folks weigh in. Also CC @wjtracey