Metadata matcher (proto)

MetadataMatcher provides a general interface to check if a given value is matched in Metadata. It uses filter and path to retrieve the value from the Metadata and then check if it’s matched to the specified value.

For example, for the following Metadata:

filter_metadata:
  envoy.filters.http.rbac:
    fields:
      a:
        struct_value:
          fields:
            b:
              struct_value:
                fields:
                  c:
                    string_value: pro
            t:
              list_value:
                values:
                  - string_value: m
                  - string_value: n

The following MetadataMatcher is matched as the path [a, b, c] will retrieve a string value pro from the Metadata which is matched to the specified prefix match.

filter: envoy.filters.http.rbac
path:
- key: a
- key: b
- key: c
value:
  string_match:
    prefix: pr

The following MetadataMatcher is matched as the code will match one of the string values in the list at the path [a, t].

filter: envoy.filters.http.rbac
path:
- key: a
- key: t
value:
  list_match:
    one_of:
      string_match:
        exact: m

An example use of MetadataMatcher is specifying additional metadata in envoy.filters.http.rbac to enforce access control based on dynamic metadata in a request. See Permission and Principal.

type.matcher.v3.MetadataMatcher

[type.matcher.v3.MetadataMatcher proto]

{
  "filter": ...,
  "path": [],
  "value": {...},
  "invert": ...
}

filter: (string, REQUIRED) The filter name to retrieve the Struct from the Metadata.

path: (repeated type.matcher.v3.MetadataMatcher.PathSegment, REQUIRED) The path to retrieve the Value from the Struct.

value: (type.matcher.v3.ValueMatcher, REQUIRED) The MetadataMatcher is matched if the value retrieved by path is matched to this value.

invert: (bool) If true, the match result will be inverted.

type.matcher.v3.MetadataMatcher.PathSegment

[type.matcher.v3.MetadataMatcher.PathSegment proto]

Specifies the segment in a path to retrieve value from Metadata.

Note

Currently it’s not supported to retrieve a value from a list in Metadata. This means that if the segment key refers to a list, it has to be the last segment in a path.

{
  "key": ...
}

key: (string, REQUIRED) If specified, use the key to retrieve the value in a Struct.