envoyproxy/envoy

RBAC policy for unix socket peer uid/gid

Open

#6.193 geöffnet am 6. März 2019

Auf GitHub ansehen
 (2 Kommentare) (0 Reaktionen) (1 zugewiesene Person)C++ (5.373 Forks)batch import
area/rbacdesign proposalhelp wanted

Repository-Metriken

Stars
 (27.997 Stars)
PR-Merge-Metriken
 (Durchschn. Merge 8T) (378 gemergte PRs in 30 T)

Beschreibung

It would be nice to be able to specify a RBAC policy based on the UID or GID of the downstream connection when it's coming through a unix socket.

This would involve exposing the UID/GID on the Connection if applicable. This would be done by using SO_PEERCRED to get the peer credentials from the socket.

A RBAC policy would then be added to read this data.

The use case we have in mind here is restricting certain routes to be available only to users that can assume a specific unix group.

Contributor Guide