Dubbo Authorization Policy
Authorization Policy scope (target) is determined by “metadata/namespace” and an optional “selector”.
- “metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.
DubboAuthorizationPolicy
DubboAuthorizationPolicy enables access control on Dubbo services.
Rule
Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
- Exact match: “abc” will match on value “abc”.
- Prefix match: “abc*” will match on value “abc” and “abcd”.
- Suffix match: “*abc” will match on value “abc” and “xabc”.
- Presence match: “*” will match when value is not empty.
Source
Source specifies the source identities of a request. Fields in the source are ANDed together.
For example, the following source matches if the principal is “admin” or “dev” and the namespace is “prod” or “test”.
principals: ["admin", "dev"]
namespaces: ["prod", "test"]
Operation
Operation specifies the operations of a request. Fields in the operation are ANDed together.
For example, the following operation matches if the Dubbo interface is “org.apache.dubbo.samples.basic.api.DemoService” and the method is “sayHello”.
interfaces: ["org.apache.dubbo.samples.basic.api.DemoService"]
methods: ["sayHello"]
Rule.From
From includes a list or sources.
Rule.To
To includes a list or operations.
DubboAuthorizationPolicy.Action
Action specifies the operation to take.
Name | Description |
---|---|
ALLOW |
Allow a request only if it matches the rules. This is the default type. |
DENY |
Deny a request if it matches any of the rules. |
DubboAuthorizationPolicy.Action
Action specifies the operation to take.
Name | Description |
---|---|
ALLOW |
Allow a request only if it matches the rules. This is the default type. |
DENY |
Deny a request if it matches any of the rules. |
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.