Skip to main content

SBAC: Service Based Access Control

SBAC allows you to dynamically control the blocking of services based on a set of RuleFilters

Function

SBAC rules are evaluated inline continuously throughout all request/response pairs or TCP streams. If insufficient data is present (i.e. filtering on a request header, but we haven't gotten all the headers yet), the rule is skipped, or if the stage field has not yet happened.

Format

Each SBAC item has the following fields:

  • name: Optional human readable name that will be displayed when the rule is responsible for blocking a service. If no rule is defined then the items index will be used instead.
  • stage: The stage at which the rule should start being checked. The rule will only start being checked once the stage is hit and will be re-checked at every following stage. The possible values are:
    • pre_request_headers
    • on_request_header_chunk
    • post_request_headers
    • on_request_body_chunk
    • post_request_body
    • on_response_header_chunk
    • post_response_headers
    • on_response_body_chunk
    • post_response_body
    • on_response_trailer_chunk
    • post_response_trailers
    • any (default)
  • filter: the RuleFilter to check

Example

sbac:
- name: test_html
stage: on_request_header_chunk
filter:
endpoint: /test.html
- name: routing_matches
stage: on_response_body_chunk
filter:
response_matches:
routing: 2
- name: never
stage: on_request_header_chunk
filter:
endpoint: /this/path/does/not/exist.html
- name: json_matches
stage: on_response_body_chunk
filter:
all:
- endpoint: /test.json
- response_matches:
ssn: 10
- name: header_matches_false
stage: on_request_header_chunk
filter:
exclude_request_headers:
hi: mars
hello: world
- name: json_path
stage: on_response_body_chunk
filter:
response_matches:
"*":
- path: test.*[*]
- exclude_path: test.my_ssn3.[*]
- count: 2