Dubbo Authorization Policy

Configuration for access control on Dubbo services.

Authorization Policy scope (target) is determined by “metadata/namespace” and an optional “selector”.

  • “metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.

DubboAuthorizationPolicy

DubboAuthorizationPolicy enables access control on Dubbo services.

FieldTypeDescriptionRequired
rulesRule[]

Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.

If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads.

No
actionAction

Optional. The action to take if the request is matched with the rules.

No

Rule

Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.

Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

  • Exact match: “abc” will match on value “abc”.
  • Prefix match: “abc*” will match on value “abc” and “abcd”.
  • Suffix match: “*abc” will match on value “abc” and “xabc”.
  • Presence match: “*” will match when value is not empty.
FieldTypeDescriptionRequired
fromFrom[]

Optional. from specifies the source of a request.

If not set, any source is allowed.

No
toTo[]

Optional. to specifies the operation of a request.

If not set, any operation is allowed.

No

Source

Source specifies the source identities of a request. Fields in the source are ANDed together.

For example, the following source matches if the principal is “admin” or “dev” and the namespace is “prod” or “test”.

  1. principals: ["admin", "dev"]
  2. namespaces: ["prod", "test"]
FieldTypeDescriptionRequired
principalsstring[]

Optional. A list of source peer identities (i.e. service account), which matches to the “source.principal” attribute. This field requires mTLS enabled.

If not set, any principal is allowed.

No
notPrincipalsstring[]

Optional. A list of negative match of source peer identities.

No
namespacesstring[]

Optional. A list of namespaces, which matches to the “source.namespace” attribute. This field requires mTLS enabled.

If not set, any namespace is allowed.

No
notNamespacesstring[]

Optional. A list of negative match of namespaces.

No

Operation

Operation specifies the operations of a request. Fields in the operation are ANDed together.

For example, the following operation matches if the Dubbo interface is “org.apache.dubbo.samples.basic.api.DemoService” and the method is “sayHello”.

  1. interfaces: ["org.apache.dubbo.samples.basic.api.DemoService"]
  2. methods: ["sayHello"]
FieldTypeDescriptionRequired
interfacesstring[]

Optional. A list of interfaces, which matches to the Dubbo interface.

If not set, any interfaces is allowed.

No
notInterfacesstring[]

Optional. A list of negative match of interfaces.

No
methodsstring[]

Optional. A list of methods, which matches to the Dubbo methods.

If not set, any method is allowed.

No
notMethodsstring[]

Optional. A list of negative match of methods.

No

Rule.From

From includes a list or sources.

FieldTypeDescriptionRequired
sourceSource

Source specifies the source of a request.

No

Rule.To

To includes a list or operations.

FieldTypeDescriptionRequired
operationOperation

Operation specifies the operation of a request.

No

DubboAuthorizationPolicy.Action

Action specifies the operation to take.

NameDescription
ALLOW

Allow a request only if it matches the rules. This is the default type.

DENY

Deny a request if it matches any of the rules.

DubboAuthorizationPolicy.Action

Action specifies the operation to take.

NameDescription
ALLOW

Allow a request only if it matches the rules. This is the default type.

DENY

Deny a request if it matches any of the rules.

最后修改 March 10, 2022: add reference (897f1a1)