# RBAC

The Envoy RBAC filter enables Rules Based Access Control on the http.Connection\_Manager listener object. For more information and full configuration, the Envoy RBAC filter the official docs can be found [here](https://www.envoyproxy.io/docs/envoy/v1.15.0/configuration/http/http_filters/rbac_filter).

## Enabling The RBAC Filter

To enable the RBAC filter we will be using the Greymatter CLI to make changes to our listener objects within the API.

```bash
greymatter edit listener <listener-key>
```

This will bring up your favorite console editor in your shell. You'll want to note two field: active\_http\_filters and http\_filters.

In the active\_http\_filters array, we will want to add another list item `envoy.rbac`. E.g., to have the Grey Matter metrics, Grey Matter observables, and Envoy RBAC filters enabled:

```javascript
  "active_http_filters": [
    "gm.metrics",
    "gm.observables",
    "envoy.rbac"
  ],
```

> Note: this can also be done in the proxy object using the `active\_proxy\_filters` and `proxy\_filters` options. This will set the filter on every listener of the sidecar.

Do not save and exit at this point as we've only told Grey Matter Sidecar which filters we wish to have running, but we haven't provided configuration for the observables filter. Under the http\_filters object, you'll note a gm\_observables object as well. This is where we are going to configure our new filter:

```javascript
"envoy_rbac" : {
  "rules": {
    "action": 0,
    "policies": {
      "service-admin": {
        "permissions": [
          {
            "any": true
          }
        ],
        "principals": [
          {
            "header": {
              "name": "user_dn",
              "exact_match": "cn=firstname.lastname"
            }
          }
        ]
      },
      "product-viewer": {
        "permissions": [
          {
            "header": {
              "name": ":method",
              "exact_match": "GET"
            }
          }
        ],
        "principals": [
          {
            "any": true
          }
        ]
      }
    }
  }
}
```

Once you have edited the configuration to your liking, save the newly modified JSON and the Grey Matter CLI will update your instance of Grey Matter Control API. The listener will now receive the new configuration and hot reload with the new filter enabled.

With the filter enabled as shown above, all calls to this server must include the HTTP header `USER_DN` and be an approved principle to have complete access. In all other cases, otherwise access will be restricted to all methods with the exception of `GET`.

> **NOTE** when running in the full mesh (not a stand-alone proxy) the `USER_DN` header can be set with the `gm.inheaders` filter. Typically this is done at the edge node, such that the appropriate headers are already populated for all calls into the mesh.

If the DN is not passed, you will see the following error message:

```
RBAC: access denied
```