Package io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3

Interface ExtAuthzOrBuilder

All Superinterfaces:

com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder

All Known Implementing Classes:

ExtAuthz, ExtAuthz.Builder

public interface ExtAuthzOrBuilder
extends com.google.protobuf.MessageOrBuilder

Method Summary

Modifier and Type	Method	Description
ListStringMatcher	getAllowedHeaders()	Check request to authorization server will include the client request headers that have a correspondent match in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`.
ListStringMatcherOrBuilder	getAllowedHeadersOrBuilder()	Check request to authorization server will include the client request headers that have a correspondent match in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`.
String	getBootstrapMetadataLabelsKey()	Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
com.google.protobuf.ByteString	getBootstrapMetadataLabelsKeyBytes()	Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
boolean	getClearRouteCache()	Clears route cache in order to allow the external authorization service to correctly affect routing decisions.
RuntimeFeatureFlag	getDenyAtDisable()	Specifies whether to deny the requests, when the filter is disabled.
RuntimeFeatureFlagOrBuilder	getDenyAtDisableOrBuilder()	Specifies whether to deny the requests, when the filter is disabled.
boolean	getFailureModeAllow()	Changes filter's behaviour on errors: 1.
boolean	getFailureModeAllowHeaderAdd()	When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to true, ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication with the authorization service has failed, or if the authorization service has returned a HTTP 5xx error.
RuntimeFractionalPercent	getFilterEnabled()	Specifies if the filter is enabled.
MetadataMatcher	getFilterEnabledMetadata()	Specifies if the filter is enabled with metadata matcher.
MetadataMatcherOrBuilder	getFilterEnabledMetadataOrBuilder()	Specifies if the filter is enabled with metadata matcher.
RuntimeFractionalPercentOrBuilder	getFilterEnabledOrBuilder()	Specifies if the filter is enabled.
GrpcService	getGrpcService()	gRPC service configuration (default timeout: 200ms).
GrpcServiceOrBuilder	getGrpcServiceOrBuilder()	gRPC service configuration (default timeout: 200ms).
HttpService	getHttpService()	HTTP service configuration (default timeout: 200ms).
HttpServiceOrBuilder	getHttpServiceOrBuilder()	HTTP service configuration (default timeout: 200ms).
boolean	getIncludePeerCertificate()	Specifies if the peer certificate is sent to the external service.
boolean	getIncludeTlsSession()	Specifies if the TLS session level details like SNI are sent to the external service.
String	getMetadataContextNamespaces(int index)	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
com.google.protobuf.ByteString	getMetadataContextNamespacesBytes(int index)	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
int	getMetadataContextNamespacesCount()	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
List<String>	getMetadataContextNamespacesList()	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
ExtAuthz.ServicesCase	getServicesCase()
String	getStatPrefix()	Optional additional prefix to use when emitting statistics.
com.google.protobuf.ByteString	getStatPrefixBytes()	Optional additional prefix to use when emitting statistics.
HttpStatus	getStatusOnError()	Sets the HTTP status that is returned to the client when the authorization server returns an error or cannot be reached.
HttpStatusOrBuilder	getStatusOnErrorOrBuilder()	Sets the HTTP status that is returned to the client when the authorization server returns an error or cannot be reached.
ApiVersion	getTransportApiVersion()	API version for ext_authz transport protocol.
int	getTransportApiVersionValue()	API version for ext_authz transport protocol.
String	getTypedMetadataContextNamespaces(int index)	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
com.google.protobuf.ByteString	getTypedMetadataContextNamespacesBytes(int index)	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
int	getTypedMetadataContextNamespacesCount()	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
List<String>	getTypedMetadataContextNamespacesList()	Specifies a list of metadata namespaces whose values, if present, will be passed to the ext_authz service.
BufferSettings	getWithRequestBody()	Enables filter to buffer the client request body and send it within the authorization request.
BufferSettingsOrBuilder	getWithRequestBodyOrBuilder()	Enables filter to buffer the client request body and send it within the authorization request.
boolean	hasAllowedHeaders()	Check request to authorization server will include the client request headers that have a correspondent match in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`.
boolean	hasDenyAtDisable()	Specifies whether to deny the requests, when the filter is disabled.
boolean	hasFilterEnabled()	Specifies if the filter is enabled.
boolean	hasFilterEnabledMetadata()	Specifies if the filter is enabled with metadata matcher.
boolean	hasGrpcService()	gRPC service configuration (default timeout: 200ms).
boolean	hasHttpService()	HTTP service configuration (default timeout: 200ms).
boolean	hasStatusOnError()	Sets the HTTP status that is returned to the client when the authorization server returns an error or cannot be reached.
boolean	hasWithRequestBody()	Enables filter to buffer the client request body and send it within the authorization request.

Methods inherited from interface com.google.protobuf.MessageLiteOrBuilder

isInitialized

Methods inherited from interface com.google.protobuf.MessageOrBuilder

findInitializationErrors, getAllFields, getDefaultInstanceForType, getDescriptorForType, getField, getInitializationErrorString, getOneofFieldDescriptor, getRepeatedField, getRepeatedFieldCount, getUnknownFields, hasField, hasOneof

Method Detail

hasGrpcService

boolean hasGrpcService()

 gRPC service configuration (default timeout: 200ms).
 

.envoy.config.core.v3.GrpcService grpc_service = 1;

Returns:

Whether the grpcService field is set.

getGrpcService

GrpcService getGrpcService()

 gRPC service configuration (default timeout: 200ms).
 

.envoy.config.core.v3.GrpcService grpc_service = 1;

Returns:

The grpcService.

getGrpcServiceOrBuilder

GrpcServiceOrBuilder getGrpcServiceOrBuilder()

 gRPC service configuration (default timeout: 200ms).
 

.envoy.config.core.v3.GrpcService grpc_service = 1;

hasHttpService

boolean hasHttpService()

 HTTP service configuration (default timeout: 200ms).
 

.envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

Returns:

Whether the httpService field is set.

getHttpService

HttpService getHttpService()

 HTTP service configuration (default timeout: 200ms).
 

.envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

Returns:

The httpService.

getHttpServiceOrBuilder

HttpServiceOrBuilder getHttpServiceOrBuilder()

 HTTP service configuration (default timeout: 200ms).
 

.envoy.extensions.filters.http.ext_authz.v3.HttpService http_service = 3;

getTransportApiVersionValue

int getTransportApiVersionValue()

 API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
 

.envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }

Returns:

The enum numeric value on the wire for transportApiVersion.

getTransportApiVersion

ApiVersion getTransportApiVersion()

 API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
 version of messages used on the wire.
 

.envoy.config.core.v3.ApiVersion transport_api_version = 12 [(.validate.rules) = { ... }

Returns:

The transportApiVersion.

getFailureModeAllow

boolean getFailureModeAllow()

  Changes filter's behaviour on errors:
  1. When set to true, the filter will ``accept`` client request even if the communication with
  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
  error.
  2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden``
  response if the communication with the authorization service has failed, or if the
  authorization service has returned a HTTP 5xx error.
 Note that errors can be ``always`` tracked in the :ref:`stats
 <config_http_filters_ext_authz_stats>`.
 

bool failure_mode_allow = 2;

Returns:

The failureModeAllow.

getFailureModeAllowHeaderAdd

boolean getFailureModeAllowHeaderAdd()

 When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to true,
 ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication
 with the authorization service has failed, or if the authorization service has returned a
 HTTP 5xx error.
 

bool failure_mode_allow_header_add = 19;

Returns:

The failureModeAllowHeaderAdd.

hasWithRequestBody

boolean hasWithRequestBody()

 Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
 

.envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

Returns:

Whether the withRequestBody field is set.

getWithRequestBody

BufferSettings getWithRequestBody()

 Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
 

.envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

Returns:

The withRequestBody.

getWithRequestBodyOrBuilder

BufferSettingsOrBuilder getWithRequestBodyOrBuilder()

 Enables filter to buffer the client request body and send it within the authorization request.
 A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization
 request message indicating if the body data is partial.
 

.envoy.extensions.filters.http.ext_authz.v3.BufferSettings with_request_body = 5;

getClearRouteCache

boolean getClearRouteCache()

 Clears route cache in order to allow the external authorization service to correctly affect
 routing decisions. Filter clears all cached routes when:
 1. The field is set to ``true``.
 2. The status returned from the authorization service is a HTTP 200 or gRPC 0.
 3. At least one ``authorization response header`` is added to the client request, or is used for
 altering another client request header.
 

bool clear_route_cache = 6;

Returns:

The clearRouteCache.

hasStatusOnError

boolean hasStatusOnError()

 Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached. The default status is HTTP 403 Forbidden.
 

.envoy.type.v3.HttpStatus status_on_error = 7;

Returns:

Whether the statusOnError field is set.

getStatusOnError

HttpStatus getStatusOnError()

 Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached. The default status is HTTP 403 Forbidden.
 

.envoy.type.v3.HttpStatus status_on_error = 7;

Returns:

The statusOnError.

getStatusOnErrorOrBuilder

HttpStatusOrBuilder getStatusOnErrorOrBuilder()

 Sets the HTTP status that is returned to the client when the authorization server returns an error
 or cannot be reached. The default status is HTTP 403 Forbidden.
 

.envoy.type.v3.HttpStatus status_on_error = 7;

getMetadataContextNamespacesList

List<String> getMetadataContextNamespacesList()

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

Returns:

A list containing the metadataContextNamespaces.

getMetadataContextNamespacesCount

int getMetadataContextNamespacesCount()

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

Returns:

The count of metadataContextNamespaces.

getMetadataContextNamespaces

String getMetadataContextNamespaces(int index)

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

Parameters:

index - The index of the element to return.

Returns:

The metadataContextNamespaces at the given index.

getMetadataContextNamespacesBytes

com.google.protobuf.ByteString getMetadataContextNamespacesBytes(int index)

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` is passed as an opaque ``protobuf::Struct``.
 For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata
 <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set,
 then the following will pass the jwt payload to the authorization server.
 .. code-block:: yaml
    metadata_context_namespaces:
    - envoy.filters.http.jwt_authn
 

repeated string metadata_context_namespaces = 8;

Parameters:

index - The index of the value to return.

Returns:

The bytes of the metadataContextNamespaces at the given index.

getTypedMetadataContextNamespacesList

List<String> getTypedMetadataContextNamespacesList()

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
 

repeated string typed_metadata_context_namespaces = 16;

Returns:

A list containing the typedMetadataContextNamespaces.

getTypedMetadataContextNamespacesCount

int getTypedMetadataContextNamespacesCount()

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
 

repeated string typed_metadata_context_namespaces = 16;

Returns:

The count of typedMetadataContextNamespaces.

getTypedMetadataContextNamespaces

String getTypedMetadataContextNamespaces(int index)

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
 

repeated string typed_metadata_context_namespaces = 16;

Parameters:

index - The index of the element to return.

Returns:

The typedMetadataContextNamespaces at the given index.

getTypedMetadataContextNamespacesBytes

com.google.protobuf.ByteString getTypedMetadataContextNamespacesBytes(int index)

 Specifies a list of metadata namespaces whose values, if present, will be passed to the
 ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``.
 It works in a way similar to ``metadata_context_namespaces`` but allows envoy and external authz server to share the protobuf message definition
 in order to do a safe parsing.
 

repeated string typed_metadata_context_namespaces = 16;

Parameters:

index - The index of the value to return.

Returns:

The bytes of the typedMetadataContextNamespaces at the given index.

hasFilterEnabled

boolean hasFilterEnabled()

 Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

Returns:

Whether the filterEnabled field is set.

getFilterEnabled

RuntimeFractionalPercent getFilterEnabled()

 Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

Returns:

The filterEnabled.

getFilterEnabledOrBuilder

RuntimeFractionalPercentOrBuilder getFilterEnabledOrBuilder()

 Specifies if the filter is enabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFractionalPercent.runtime_key>` is specified,
 Envoy will lookup the runtime key to get the percentage of requests to filter.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.config.core.v3.RuntimeFractionalPercent filter_enabled = 9;

hasFilterEnabledMetadata

boolean hasFilterEnabledMetadata()

 Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

Returns:

Whether the filterEnabledMetadata field is set.

getFilterEnabledMetadata

MetadataMatcher getFilterEnabledMetadata()

 Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

Returns:

The filterEnabledMetadata.

getFilterEnabledMetadataOrBuilder

MetadataMatcherOrBuilder getFilterEnabledMetadataOrBuilder()

 Specifies if the filter is enabled with metadata matcher.
 If this field is not specified, the filter will be enabled for all requests.
 

.envoy.type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14;

hasDenyAtDisable

boolean hasDenyAtDisable()

 Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
 

.envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

Returns:

Whether the denyAtDisable field is set.

getDenyAtDisable

RuntimeFeatureFlag getDenyAtDisable()

 Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
 

.envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

Returns:

The denyAtDisable.

getDenyAtDisableOrBuilder

RuntimeFeatureFlagOrBuilder getDenyAtDisableOrBuilder()

 Specifies whether to deny the requests, when the filter is disabled.
 If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified,
 Envoy will lookup the runtime key to determine whether to deny request for
 filter protected path at filter disabling. If filter is disabled in
 typed_per_filter_config for the path, requests will not be denied.
 If this field is not specified, all requests will be allowed when disabled.
 If a request is denied due to this setting, the response code in :ref:`status_on_error
 <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.status_on_error>` will
 be returned.
 

.envoy.config.core.v3.RuntimeFeatureFlag deny_at_disable = 11;

getIncludePeerCertificate

boolean getIncludePeerCertificate()

 Specifies if the peer certificate is sent to the external service.
 When this field is true, Envoy will include the peer X.509 certificate, if available, in the
 :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
 

bool include_peer_certificate = 10;

Returns:

The includePeerCertificate.

getStatPrefix

String getStatPrefix()

 Optional additional prefix to use when emitting statistics. This allows to distinguish
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:
 .. code-block:: yaml
   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
 

string stat_prefix = 13;

Returns:

The statPrefix.

getStatPrefixBytes

com.google.protobuf.ByteString getStatPrefixBytes()

 Optional additional prefix to use when emitting statistics. This allows to distinguish
 emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example:
 .. code-block:: yaml
   http_filters:
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc.
     - name: envoy.filters.http.ext_authz
       typed_config:
         "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
         stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc.
 

string stat_prefix = 13;

Returns:

The bytes for statPrefix.

getBootstrapMetadataLabelsKey

String getBootstrapMetadataLabelsKey()

 Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
 

string bootstrap_metadata_labels_key = 15;

Returns:

The bootstrapMetadataLabelsKey.

getBootstrapMetadataLabelsKeyBytes

com.google.protobuf.ByteString getBootstrapMetadataLabelsKeyBytes()

 Optional labels that will be passed to :ref:`labels<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.labels>` in
 :ref:`destination<envoy_v3_api_field_service.auth.v3.AttributeContext.destination>`.
 The labels will be read from :ref:`metadata<envoy_v3_api_msg_config.core.v3.Node>` with the specified key.
 

string bootstrap_metadata_labels_key = 15;

Returns:

The bytes for bootstrapMetadataLabelsKey.

hasAllowedHeaders

boolean hasAllowedHeaders()

 Check request to authorization server will include the client request headers that have a correspondent match
 in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.
 .. note::
  1. For requests to an HTTP authorization server: in addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``,
     ``Content-Length``, and ``Authorization`` are **additionally included** in the list.
 .. note::
  2. For requests to an HTTP authorization server: *Content-Length* will be set to 0 and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting),
  consequently the value of *Content-Length* of the authorization request reflects the size of
  its payload size.
 

.envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

Returns:

Whether the allowedHeaders field is set.

getAllowedHeaders

ListStringMatcher getAllowedHeaders()

 Check request to authorization server will include the client request headers that have a correspondent match
 in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.
 .. note::
  1. For requests to an HTTP authorization server: in addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``,
     ``Content-Length``, and ``Authorization`` are **additionally included** in the list.
 .. note::
  2. For requests to an HTTP authorization server: *Content-Length* will be set to 0 and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting),
  consequently the value of *Content-Length* of the authorization request reflects the size of
  its payload size.
 

.envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

Returns:

The allowedHeaders.

getAllowedHeadersOrBuilder

ListStringMatcherOrBuilder getAllowedHeadersOrBuilder()

 Check request to authorization server will include the client request headers that have a correspondent match
 in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`. If this option isn't specified, then
 all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers
 (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server.
 This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior.
 .. note::
  1. For requests to an HTTP authorization server: in addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``,
     ``Content-Length``, and ``Authorization`` are **additionally included** in the list.
 .. note::
  2. For requests to an HTTP authorization server: *Content-Length* will be set to 0 and the request to the
  authorization server will not have a message body. However, the check request can include the buffered
  client request body (controlled by :ref:`with_request_body
  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting),
  consequently the value of *Content-Length* of the authorization request reflects the size of
  its payload size.
 

.envoy.type.matcher.v3.ListStringMatcher allowed_headers = 17;

getIncludeTlsSession

boolean getIncludeTlsSession()

 Specifies if the TLS session level details like SNI are sent to the external service.
 When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the
 :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`.
 

bool include_tls_session = 18;

Returns:

The includeTlsSession.

getServicesCase

ExtAuthz.ServicesCase getServicesCase()