Dubbo Authorization Policy

    Authorization Policy scope (target) is determined by “metadata/namespace” and an optional “selector”.

    • “metadata/namespace” tells which namespace the policy applies. If set to root namespace, the policy applies to all namespaces in a mesh.

    DubboAuthorizationPolicy enables access control on Dubbo services.

    Rule

    Rule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.

    Any string field in the rule supports Exact, Prefix, Suffix and Presence match:

    • Prefix match: “abc*” will match on value “abc” and “abcd”.
    • Suffix match: “*abc” will match on value “abc” and “xabc”.
    • Presence match: “*” will match when value is not empty.
    FieldTypeDescriptionRequired
    from

    Optional. from specifies the source of a request.

    If not set, any source is allowed.

    		No
    toTo[]

    Optional. to specifies the operation of a request.

    If not set, any operation is allowed.

    		No

    Source specifies the source identities of a request. Fields in the source are ANDed together.

    Operation

    Operation specifies the operations of a request. Fields in the operation are ANDed together.

    For example, the following operation matches if the Dubbo interface is “org.apache.dubbo.samples.basic.api.DemoService” and the method is “sayHello”.

    1. interfaces: ["org.apache.dubbo.samples.basic.api.DemoService"]
    FieldTypeDescriptionRequired
    interfacesstring[]

    Optional. A list of interfaces, which matches to the Dubbo interface.

    If not set, any interfaces is allowed.

    		No
    notInterfacesstring[]

    Optional. A list of negative match of interfaces.

    		No
    string[]

    Optional. A list of methods, which matches to the Dubbo methods.

    		No
    notMethodsstring[]

    Optional. A list of negative match of methods.

    		No

    From includes a list or sources.

    Rule.To

    To includes a list or operations.

    FieldTypeDescriptionRequired
    operation

    Operation specifies the operation of a request.

    		No

    Action specifies the operation to take.

    DubboAuthorizationPolicy.Action

    Action specifies the operation to take.

    NameDescription
    ALLOW

    Allow a request only if it matches the rules. This is the default type.

    Deny a request if it matches any of the rules.