Skip to content
This repository has been archived by the owner on Nov 21, 2023. It is now read-only.

AS: Add API to set policy #92

Merged
merged 1 commit into from
May 11, 2023
Merged

AS: Add API to set policy #92

merged 1 commit into from
May 11, 2023

Conversation

jialez0
Copy link
Member

@jialez0 jialez0 commented May 6, 2023

No description provided.

@jialez0 jialez0 force-pushed the set-policy branch 7 times, most recently from fac8f92 to ac87c04 Compare May 6, 2023 06:41
Xynnn007
Xynnn007 reviewed May 8, 2023
View reviewed changes
Copy link
Member

@Xynnn007 Xynnn007 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the API! It is very useful!

src/policy_engine/mod.rs Outdated Show resolved Hide resolved
src/policy_engine/opa/mod.rs Outdated Show resolved Hide resolved
src/policy_engine/opa/mod.rs Show resolved Hide resolved
@jialez0 jialez0 force-pushed the set-policy branch 7 times, most recently from 600c78f to d1acbca Compare May 9, 2023 09:34
@niteeshkd
Copy link

It seems the API updates the existing opa policy file (e.g. .../opa/policy.rego).

  1. Can it be used to create a new policy file and use that in the policy evaluation? I think coco owner may provide different policy files for different cocos while using the same attestation service.
  2. If later some other type of policy engine is supported, is it expected that new API will be created to update the policy for that type of policy engine?

@jialez0 jialez0 force-pushed the set-policy branch 2 times, most recently from 0a3b219 to 1c9d1f5 Compare May 10, 2023 03:53
@jialez0
Copy link
Member Author

jialez0 commented May 10, 2023

It seems the API updates the existing opa policy file (e.g. .../opa/policy.rego).

  1. Can it be used to create a new policy file and use that in the policy evaluation? I think coco owner may provide different policy files for different cocos while using the same attestation service.
  2. If later some other type of policy engine is supported, is it expected that new API will be created to update the policy for that type of policy engine?

@niteeshkd Thanks for proposal! I will try to think and design to implement the functions you mentioned.

@jialez0 jialez0 force-pushed the set-policy branch 4 times, most recently from d525adc to c47bcd6 Compare May 10, 2023 08:04
@jialez0
Copy link
Member Author

jialez0 commented May 10, 2023
edited
Loading

@niteeshkd I have updated the code, now set policy input specified the policy type and policy ID, you can take a look at this PR again. Thanks!
In this PR, we only use "default" as the policy ID for now, this is because how KBS/AS identifies coco resources is still under discussion and design. After we have a comprehensive mechanism to identify the coco resources, we can use different policy IDs based on that ID.

@niteeshkd
Copy link

@niteeshkd I have updated the code, now set policy input specified the policy type and policy ID, you can take a look at this PR again. Thanks! In this PR, we only use "default" as the policy ID for now, this is because how KBS/AS identifies coco resources is still under discussion and design. After we have a comprehensive mechanism to identify the coco resources, we can use different policy IDs based on that ID.

Sounds good to me !

Xynnn007
Xynnn007 reviewed May 11, 2023
View reviewed changes
src/policy_engine/opa/mod.rs Outdated Show resolved Hide resolved
src/policy_engine/opa/mod.rs Show resolved Hide resolved
src/policy_engine/opa/mod.rs Outdated Show resolved Hide resolved
src/policy_engine/opa/mod.rs Outdated Show resolved Hide resolved
src/policy_engine/opa/mod.rs Show resolved Hide resolved
src/policy_engine/opa/mod.rs Outdated Show resolved Hide resolved
@jialez0 jialez0 force-pushed the set-policy branch 2 times, most recently from 78ff034 to ffc0ddf Compare May 11, 2023 04:32
@jialez0
AS: Add API to set policy
fc3576a 
Signed-off-by: Jiale Zhang <zhangjiale@linux.alibaba.com>
@jialez0 jialez0 mentioned this pull request May 11, 2023
Merged
@jialez0 jialez0 merged commit 090c367 into confidential-containers:main May 11, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Xynnn007 Xynnn007 Xynnn007 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jialez0 @niteeshkd @Xynnn007