rbac: add unified matcher for RBAC filters

[zhxie]

Signed-off-by: Xie Zhihao zhihao.xie@intel.com

Commit Message: rbac: add unified matcher for RBAC filters
Additional Description:

The patch add the matching API support for both RBAC network filter and HTTP filter. Users can configure rules and shadow rules in either policies or the matching API manner. There are some incompatibilities, TODOs and behavior changes compared to the policies way.

1. RBAC matchers are not compatible with the matching API.
2. URL path and CEL are not supported in the matching API. These matchers may come as custom matcher.
3. Metadata is not supported in the matching API. These matchers may come as inputs.
4. Connections and requests with no matcher matched will always be denied.

Risk Level: Medium
Testing: Unit and integration
Docs Changes: API and configuration
Release Notes: WIP
Platform Specific Features: N/A
Fixes #20623

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @markdroth
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #20877 was opened by zhxie.

see: more, trace.

[zhxie]

cc @htuch
Also cc @snowp @kyessenov for thoughts about unsupported matchers

[kyessenov]

You can add this to resolve the ambiguity:

diff --git a/api/bazel/external_proto_deps.bzl b/api/bazel/external_proto_deps.bzl
index 6b11495d3c..b59df6b785 100644
--- a/api/bazel/external_proto_deps.bzl
+++ b/api/bazel/external_proto_deps.bzl
@@ -19,8 +19,8 @@ EXTERNAL_PROTO_IMPORT_BAZEL_DEP_MAP = {

 # This maps from the Bazel proto_library target to the Go language binding target for external dependencies.
 EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = {
-    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
-    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@com_google_googleapis//google/api/expr/v1alpha1:expr_go_proto",
+    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto",
+    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto",
     "@opencensus_proto//opencensus/proto/trace/v1:trace_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_proto_go",
     "@opencensus_proto//opencensus/proto/trace/v1:trace_config_proto": "@opencensus_proto//opencensus/proto/trace/v1:trace_and_config_proto_go",
     "@opentelemetry_proto//:logs": "@opentelemetry_proto//:logs_go_proto",

[zhxie]

Ok, let us have a try to align them with xDS's external_proto_deps.

[repokitteh-read-only]

CC @envoyproxy/dependency-shepherds: Your approval is needed for changes made to (bazel/.*repos.*\.bzl)|(bazel/dependency_imports\.bzl)|(api/bazel/.*\.bzl)|(.*/requirements\.txt)|(.*\.patch).
envoyproxy/dependency-shepherds assignee is @phlax

🐱

Caused by: #20877 was synchronize by zhxie.

see: more, trace.

[zhxie]

Thanks @kyessenov, you saved my day. It is really easy to miss the change and TODO since I have been looking around among repositories.bzl, repository_locations.bzl, BUILD and .proto and found nothing different.

[sergiitk]

This is the source of this problem: bazel-contrib/rules_go#1986. cc @noahdietz.

As I understand, it has always been an issue in envoy, but it was sitting there dormant because go_build_test isn't testing any targets that rely on googleapis protos:

envoy/api/test/build/BUILD

Lines 20 to 30 in 575ab6a

	api_go_test(
	name = "go_build_test",
	size = "small",
	srcs = ["go_build_test.go"],
	importpath = "go_build_test",
	deps = [
	"//envoy/api/v2:pkg_go_proto",
	"//envoy/api/v2/auth:pkg_go_proto",
	"//envoy/service/accesslog/v2:pkg_go_proto",
	"//envoy/service/discovery/v2:pkg_go_proto",
	"//envoy/service/metrics/v2:pkg_go_proto",

However, cncf/xds does test these targets. To make it work, googleapis protos had to be mapped to from @ com_google_googleapis to @go_googleapis:

EXTERNAL_PROTO_GO_BAZEL_DEP_MAP = {
    # Note @com_google_googleapis are point to @go_googleapis.
    # This is done to address //test/build:go_build_test build error:
    #
    # link: package conflict error:
    #   google.golang.org/genproto/googleapis/api/annotations: multiple copies of package passed to linker:
    #
    # @go_googleapis//google/api:annotations_go_proto
    # @com_google_googleapis//google/api:annotations_go_proto
    #
    # TODO(https://github.com/bazelbuild/rules_go/issues/1986): update to
    #    @com_google_googleapis when the bug is resolved. Also see the note to
    #    go_googleapis in https://github.com/bazelbuild/rules_go/blob/master/go/dependencies.rst#overriding-dependencies
    "@com_google_googleapis//google/api/expr/v1alpha1:checked_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto",
    "@com_google_googleapis//google/api/expr/v1alpha1:syntax_proto": "@go_googleapis//google/api/expr/v1alpha1:expr_go_proto",
}

[kyessenov]

/retest

[repokitteh-read-only]

Retrying Azure Pipelines:
Retried failed jobs in: envoy-presubmit

🐱

Caused by: a #20877 (comment) was created by @kyessenov.

see: more, trace.

[kyessenov]

@envoyproxy/api-shepherds Could we please re-stamp this? There's a build fix included.

[kyessenov]

This needs to be approved by API or senior maintainer. Thanks for completing this work!

[kyessenov]

CC @envoyproxy/api-shepherds @envoyproxy/senior-maintainers

[kyessenov]

@markdroth please take a look at the API change.
/assign @phlax
(for the dependency bit)

[markdroth]

/lgtm api

[kyessenov]

@moderation Could you please approve dependency bazel fix?

[moderation]

/lgtm deps