-
Notifications
You must be signed in to change notification settings - Fork 205
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(authz): add opa bundle support #3194
Conversation
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
…o authz-opa-sdk * 'authz-opa-sdk' of https://github.com/flipt-io/flipt: docs: add mbezhanov as a contributor for code (#3197) feat: support environment variable substitution in config files (#3195)
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
marking this ready for a first pass while I work on the schema updates and testing with s3 |
Signed-off-by: Mark Phelps <[email protected]>
Data *AuthorizationSourceConfig `json:"data,omitempty" mapstructure:"data,omitempty" yaml:"data,omitempty"` | ||
Required bool `json:"required,omitempty" mapstructure:"required" yaml:"required,omitempty"` | ||
Backend AuthorizationBackend `json:"backend,omitempty" mapstructure:"backend" yaml:"backend,omitempty"` | ||
Local *AuthorizationLocalConfig `json:"local,omitempty" mapstructure:"local,omitempty" yaml:"local,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
note: this is a breaking config change, but since its still marked experimental
i think its ok__
} | ||
|
||
tmpl = fmt.Sprintf(` | ||
services: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is gross i'll admit, but its how the OPA SDK has to be configured https://github.com/open-policy-agent/opa/blob/f05497530d337dfd30dbd31851209d3a25c1cf95/sdk/options.go#L27
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I went looking to see if they at-least had a struct they use to parse it back out, so we could use that and marshal it before we pass it, but even theres is just a pile of json RawMessage:
https://github.com/open-policy-agent/opa/blob/f05497530d337dfd30dbd31851209d3a25c1cf95/config/config.go#L23-L48
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great. One take it or leave it 👍
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
Signed-off-by: Mark Phelps <[email protected]>
* 'main' of https://github.com/flipt-io/flipt: chore: Add views to Dagger (#3201) Update test.yml (#3200) feat(authz): add opa bundle support (#3194)
This adds the ability to use OPA bundles for loading in policies and data used to make authorization decisions
Currently, this PR adds the ability to pull a bundle from S3 (or Minio) via a similar configuration that we use for our AWS S3 Storage for declarative state
It also allows advanced users to configure the Bundle API in OPA using the full configuration if they wish: https://www.openpolicyagent.org/docs/latest/management-bundles/#bundle-service-api
In the future we want to add 'nice' configuration to support authorization sources such as:
OPA already has examples/docs on how to use the bundle API for the first 3, however Git will likely need to be a custom implementation.
This PR also moves around the configuration a bit for our existing
local
authz source support which continues to use the lower-level rego SDK.The plan is to extend the rego engine to also support pulling from Flipt Cloud API over HTTP, and likely to support Git as well since both of these methods will likely pull the 'raw' data and not a pre-packaged bundle like this new bundle engine does.
TODO
Add Integration TestsPITA, Im resorting to testing manually