Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

support open policy agent #42

Closed
ripienaar opened this issue Dec 19, 2019 · 0 comments
Closed

support open policy agent #42

ripienaar opened this issue Dec 19, 2019 · 0 comments

Comments

@ripienaar
Copy link
Member

ripienaar commented Dec 19, 2019
edited
Loading

We should spike supporting OPA, the userlist might embed a rego policy into the JWT and the actionlist would evaluate the policy.

A sample policy might look like this:

package choria.aaa.policy

default allow = false

# user can deploy only frontend of myco into production but only in malta
allow {
	input.action == "deploy"
	input.agent == "myco"
	input.data.component == "frontend"
	requires_fact_filter("country=mt")
	input.collective == "production"
}

# can ask status anywhere in any environment but not unfiltered
allow {
	input.action == "status"
	input.agent == "myco"
        count(input.filter.fact) > 0
}

# user can do anything myco related in development
allow {
	input.agent == "myco"
	input.collective == "development"
}

this shows the user having access to all the various parts of a request - nothing about nodes as this is in the context of the signer - so just what is in the request.

Things we couldnt do before:

  • authz on collective
  • authz on filters being supplied or not
  • authz on very specific filters
  • authz on the inputs sent to the agent
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 19, 2019
@ripienaar
(choria-io#42) spike around OPA
8a11db6
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 19, 2019
@ripienaar
(choria-io#42) spike around OPA
b5ecde2
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 19, 2019
@ripienaar
(choria-io#42) spike around OPA
9dac73f
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 20, 2019
@ripienaar
(choria-io#42) add an Open Policy Agent authorizer
cbe205b
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 20, 2019
@ripienaar
(choria-io#42) add an Open Policy Agent authorizer
134ac5b
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 20, 2019
@ripienaar
(choria-io#42) add an Open Policy Agent authorizer
7f8c7a6
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 20, 2019
@ripienaar
(choria-io#42) add an Open Policy Agent authorizer
8c7c8a3
ripienaar added a commit to ripienaar/aaasvc that referenced this issue Dec 20, 2019
@ripienaar
(choria-io#42) add an Open Policy Agent authorizer
c07cdaa
ripienaar added a commit that referenced this issue Dec 20, 2019
@ripienaar
Merge pull request #43 from ripienaar/42
b08b962 
(#42) spike around OPA
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ripienaar