example.rst

Role Based Access Control (RBAC) - HTTP

Requirements

:ref:`curl <start_sandboxes_setup_curl>`

Used to make HTTP requests.

RBAC is used to check if the incoming request is authorized or not.

Envoy supports 2 types for RBAC:

• L4 connections via the :ref:`Role Based Access Control (RBAC) Network Filter <config_network_filters_rbac>`
• HTTP requests via the :ref:`Role Based Access Control (RBAC) Filter <config_http_filters_rbac>`

This sandbox provides an example of RBAC of HTTP requests.

In the example, requests should only be allowed if its Referer header matches the regex pattern https?://(www.)?envoyproxy.io/docs/envoy.*.

Step 1: Start all of our containers

Change to the examples/rbac directory and bring up the docker composition.

$ pwd
envoy/examples/rbac
$ docker compose pull
$ docker compose up --build -d
$ docker compose ps

Name             Command                          State   Ports
------------------------------------------------------------------------------------------------------------
rbac_backend_1   gunicorn -b 0.0.0.0:80 htt ...   Up      0.0.0.0:8080->80/tcp
rbac_envoy_1     /docker-entrypoint.sh /usr ...   Up      0.0.0.0:10000->10000/tcp, 0.0.0.0:10001->10001/tcp

Step 2: Denial of upstream service using RBAC

The sandbox is configured to proxy port 10000 to the upstream service.

As the request does not have the required header it is denied, and Envoy refuses the connection with an HTTP 403 return code and with the content RBAC: access denied.

Now, use curl to make a request for the upstream service.

$ curl -si localhost:10000
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Thu, 28 Jul 2022 06:48:43 GMT
server: envoy

RBAC: access denied

Step 3: Authorization of upstream service using RBAC

Now, we can make another request with proper headers set.

$ curl -si -H "Referer: https://www.envoyproxy.io/docs/envoy" localhost:10000 | grep 200
HTTP/1.1 200 OK

Step 4: Check stats via admin

The sandbox is configured with the 10001 port for Envoy admin.

Checking the admin interface we should now see that the RBAC stats are updated, with one request denied and the other allowed

$ curl -s "http://localhost:10001/stats?filter=rbac"
http.ingress_http.rbac.allowed: 1
http.ingress_http.rbac.denied: 1
http.ingress_http.rbac.shadow_allowed: 0
http.ingress_http.rbac.shadow_denied: 0

.. seealso::

   :ref:`Role Based Access Control <arch_overview_rbac>`
      Learn more about using Envoy's ``RBAC`` filter.

    :ref:`RBAC Network Filter API <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>`
      API and configuration reference for Envoy's ``RBAC`` network filter.

    :ref:`RBAC HTTP Filter API <envoy_v3_api_msg_extensions.filters.http.rbac.v3.RBAC>`
      API and configuration reference for Envoy's ``RBAC`` HTTP filter.

   :ref:`Envoy admin quick start guide <start_quick_start_admin>`
      Quick start guide to the Envoy admin interface.