mirror of https://github.com/istio/istio.io.git
284 lines
7.9 KiB
HTML
284 lines
7.9 KiB
HTML
---
|
|
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/proxy' REPO
|
|
source_repo: https://github.com/istio/proxy
|
|
title: AttributeGen Config
|
|
description: Configuration for Attribute Generation plugin.
|
|
location: https://istio.io/docs/reference/config/proxy_extensions/attributegen.html
|
|
layout: protoc-gen-docs
|
|
generator: protoc-gen-docs
|
|
schema: istio.attributegen
|
|
weight: 20
|
|
number_of_entries: 3
|
|
---
|
|
<p>AttributeGen plugin uses <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter#condition">builtin attributes</a>
|
|
as inputs and produces new attributes that can be used by downstream plugins.</p>
|
|
|
|
<p>The following is an example of a configuration that produces one attribute
|
|
named <code>istio_operationId</code> using <code>request.url_path</code> and <code>request.method</code>.</p>
|
|
|
|
<p>{{<tabset category-name="example">}}
|
|
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
|
|
|
|
<pre><code class="language-yaml">{
|
|
"attributes": [
|
|
{
|
|
"output_attribute": "istio_operationId",
|
|
"match": [
|
|
{
|
|
"value": "ListBooks",
|
|
"condition": "request.url_path == '/books' && request.method ==
|
|
'GET'"
|
|
},
|
|
{
|
|
"value": "GetBook",
|
|
"condition":
|
|
"request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
|
|
&& request.method == 'GET'"
|
|
},
|
|
{
|
|
"value": "CreateBook",
|
|
"condition": "request.url_path == '/books/' && request.method ==
|
|
'POST'"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
|
|
</code></pre>
|
|
|
|
<p>{{</tab>}}
|
|
{{</tabset>}}</p>
|
|
|
|
<p>If the Stats plugin runs after AttributeGen, it can use <code>istio_operationId</code>
|
|
to populate a dimension on a metric.</p>
|
|
|
|
<p>The following is an example of response codes being mapped into a smaller
|
|
number of response classes as the <code>istio_responseClass</code> attribute. For
|
|
example, all response codes in 200s are mapped to <code>2xx</code>.</p>
|
|
|
|
<p>{{<tabset category-name="example">}}
|
|
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
|
|
|
|
<pre><code class="language-yaml">{
|
|
"attributes": [
|
|
{
|
|
"output_attribute": "istio_responseClass",
|
|
"match": [
|
|
{
|
|
"value": "2xx",
|
|
"condition": "response.code >= 200 && response.code <= 299"
|
|
},
|
|
{
|
|
"value": "3xx",
|
|
"condition": "response.code >= 300 && response.code <= 399"
|
|
},
|
|
{
|
|
"value": "404",
|
|
"condition": "response.code == 404"
|
|
},
|
|
{
|
|
"value": "429",
|
|
"condition": "response.code == 429"
|
|
},
|
|
{
|
|
"value": "503",
|
|
"condition": "response.code == 503"
|
|
},
|
|
{
|
|
"value": "5xx",
|
|
"condition": "response.code >= 500 && response.code <= 599"
|
|
},
|
|
{
|
|
"value": "4xx",
|
|
"condition": "response.code >= 400 && response.code <= 499"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
|
|
</code></pre>
|
|
|
|
<p>{{</tab>}}
|
|
{{</tabset>}}</p>
|
|
|
|
<p>If multiple AttributeGene configurations produce the same attribute, the
|
|
result of the last configuration will be visible to downstream filters.</p>
|
|
|
|
<h2 id="PluginConfig">PluginConfig</h2>
|
|
<section>
|
|
<p>Top level configuration to generate new attributes based on attributes of the
|
|
proxied traffic.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="PluginConfig-debug">
|
|
<td><code>debug</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>The following settings should be rarely used.
|
|
Enable debug for this filter.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="PluginConfig-attributes">
|
|
<td><code>attributes</code></td>
|
|
<td><code><a href="#AttributeGeneration">AttributeGeneration[]</a></code></td>
|
|
<td>
|
|
<p>Multiple independent attribute generation configurations.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="AttributeGeneration">AttributeGeneration</h2>
|
|
<section>
|
|
<p>AttributeGeneration define generation of one attribute.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="AttributeGeneration-output_attribute">
|
|
<td><code>output_attribute</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The name of the attribute that is populated on a successful match.
|
|
An attribute name SHOULD NOT contain a <code>.</code>. You may use underscores for
|
|
namespacing instead.</p>
|
|
|
|
<p>Example: <code>istio_operationId</code></p>
|
|
|
|
<p><code>istio_</code> attribute namespace is reserved by Istio.</p>
|
|
|
|
<p>AttributeGeneration may fail to evaluate when an attribute is not
|
|
available. For example, <code>response.code</code> may not be available when a request
|
|
ends abruptly. When attribute generation fails, it will not populate the
|
|
attribute.</p>
|
|
|
|
<p>If the generated attribute is used by an authz plugin, it should account
|
|
for the possibility that the attribute may be missing. Use
|
|
<code>has(attribute_name)</code> function to check for presence of an attribute before
|
|
using its value, and provide appropriate defaults. For example the
|
|
following is a safe use of <code>response.code</code></p>
|
|
|
|
<p><code>has(response.code)?response.code:200</code></p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="AttributeGeneration-match">
|
|
<td><code>match</code></td>
|
|
<td><code><a href="#Match">Match[]</a></code></td>
|
|
<td>
|
|
<p>Matches are evaluated in order until the first successful match.
|
|
The value specified by the successful match is assgined to the
|
|
output_attribute.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|
|
<h2 id="Match">Match</h2>
|
|
<section>
|
|
<p>If the condition evaluates to true then the Match returns the specified
|
|
value.</p>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
<th>Required</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Match-condition">
|
|
<td><code>condition</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>The condition is a <a href="https://github.com/google/cel-spec/blob/master/doc/langdef.md">CEL
|
|
expression</a>
|
|
that may use <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/security/rbac_filter#condition">builtin attributes</a>.</p>
|
|
|
|
<p>Example:</p>
|
|
|
|
<p>{{<tabset category-name="example">}}
|
|
{{<tab name="attribute-match" >}}</p>
|
|
|
|
<pre><code class="language-yaml"> {
|
|
"value": "GetBook",
|
|
"condition":
|
|
"request.url_path.matches('^/shelves/[[:alnum:]]*/books/[[:alnum:]]*$')
|
|
&& request.method == 'GET'"
|
|
},
|
|
</code></pre>
|
|
|
|
<p>Note: CEL uses <a href="https://github.com/google/re2/wiki/Syntax">re2</a> regex
|
|
library. Use anchors <code>{^, $}</code> to ensure that the regex evaluates
|
|
efficiently.</p>
|
|
|
|
<p>Note: <code>request.url_path</code> is normalized and stripped of query params.</p>
|
|
|
|
<p>a Read only operation on books</p>
|
|
|
|
<pre><code class="language-yaml">{ "value": "ReadOnlyBooks",
|
|
"condition": "request.url_path.startsWith('/books/') &&
|
|
in(request.method, ['GET', 'HEAD'])"}
|
|
</code></pre>
|
|
|
|
<p>{{</tab>}}
|
|
{{</tabset>}}</p>
|
|
|
|
<p>An empty condition evaluates to <code>true</code> and should be used to provide a
|
|
default value.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
<tr id="Match-value">
|
|
<td><code>value</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>If condition evaluates to true, return the <code>value</code>.</p>
|
|
|
|
</td>
|
|
<td>
|
|
No
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|