Role Based Access Control (RBAC) Filter

    When a request is denied, the RESPONSE_CODE_DETAILS will include the name of the matched policy that caused the deny in the format of rbac_access_denied_matched_policy[policy_name] (policy_name will be none if no policy matched), this helps to distinguish the deny from Envoy RBAC filter and the upstream backend.

    • This filter should be configured with the name envoy.filters.http.rbac.

    The RBAC filter configuration can be overridden or disabled on a per-route basis by providing a configuration on the virtual host, route, or weighted cluster.

    The RBAC filter outputs statistics in the http.<stat_prefix>.rbac. namespace. The stat prefix comes from the owning HTTP connection manager.

    The RBAC filter emits the following dynamic metadata.

    Name

    Type

    Description

    shadow_effective_policy_id

    string

    The effective shadow policy ID matching the action (if any).

    shadow_engine_result

    string

    The engine result for the shadow rules (i.e. either allowed or denied).

    access_log_hint

    boolean