SlideShare ist ein Scribd-Unternehmen logo

OPA: The Cloud Native Policy Engine

T
Torin Sandall

This document discusses Open Policy Agent (OPA), an open source general-purpose policy engine. It provides examples of how OPA can be used to enforce various types of policies across complex environments in a flexible way. OPA treats policy decisions as separate from enforcement, stores policies and data in-memory, and uses partial evaluation and indexing to evaluate policies efficiently. It allows policies to be written declaratively using Rego and enforced for services, infrastructure, and other resources regardless of how they are implemented. The document demonstrates examples of using OPA for authorization, RBAC, and other policies across multiple domains.

Technologie
1 von 60
Downloaden Sie, um offline zu lesen
@sometorin @OpenPolicyAgent Open Policy Agent
@sometorin @OpenPolicyAgent Torin Sandall @sometorin ● Open Policy Agent co-founder and core contributor ● Istio and Kubernetes policy-related features ● ❤ good restaurants Copenhagen
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
@sometorin @OpenPolicyAgent Treat policy as a separate concern. ...just like DB, messaging, monitoring, logging, orchestration, CI/CD...
@sometorin @OpenPolicyAgent Gain better control and visibility over policy throughout your system.
@sometorin @OpenPolicyAgent Everyone is affected by policy...
@sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
@sometorin @OpenPolicyAgent Policy enforcement is a fundamental problem for your organization.
@sometorin @OpenPolicyAgent Tribal knowledge provides NO guarantee that policies are being enforced. "Tribal knowledge" is the know-how or collective wisdom of the organization.
@sometorin @OpenPolicyAgent It is expensive and painful to maintain policy decisions that are hardcoded into the app.
@sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) OPA is an open source, general-purpose policy engine. Policy Query Policy Decision
@sometorin @OpenPolicyAgent Decisions are decoupled from enforcement. Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement
@sometorin @OpenPolicyAgent OPA is a host-local cache for policy decisions. Node Service OPA Node Service OPA
@sometorin @OpenPolicyAgent Node Service OPA Node Service OPA Node Service Node Host Failures OPA Node Service Node Network Partitions OPA Network Network Fate Sharing ✔ Low latency ✔ High availability
@sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) Policy Query Policy Decision Policy and data are stored in-memory. No runtime dependencies during enforcement. Enforcement
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent details service reviews service ratings service landing page service
@sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Input { "method": "GET", "path": ["reviews", "bob"], "user": "alice" }
@sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Demo Policy "Employees can see their own reviews and the reviews of their subordinates." "Employees can see their own PII. HR can also see PII."
@sometorin @OpenPolicyAgent Declarative Language (Rego) ● Is user X allowed to call operation Y on resource Z? ● Which annotations must be added to new Deployments? ● Which users can SSH into production machines?
@sometorin @OpenPolicyAgent "Employees may read their own reviews and the reviews of their subordinates."
@sometorin @OpenPolicyAgent "Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
@sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "bob" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "bob" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "Employees may read their own reviews [...]" "alice" instead of "bob"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read [...] the reviews of their subordinates." Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = data.manager_of[employee_id] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = data.manager_of["bob"] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "alice" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "alice" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent What about RBAC?
@sometorin @OpenPolicyAgent RBAC solves XX% of the problem.
@sometorin @OpenPolicyAgent RBAC is not enough. "QA must sign-off on images deployed to the production namespace." "Analysts can read client data but PII must be redacted." "Restrict employees from accessing the service outside of work hours." "Allow all HTTP requests from 10.1.2.0/24." "Restrict ELB changes to senior SREs that are on-call." "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU."
@sometorin @OpenPolicyAgent ...but everyone knows RBAC.
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
@sometorin @OpenPolicyAgent Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Find bindings and roles that match input. This rule searches over the RBAC data. allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
@sometorin @OpenPolicyAgent Partial Evaluation: rules + data ⇒ simplified rules allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role } Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Partial Eval allow = true { input.user = "bob" input.resource = "/widgets" input.operation = "write" } allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" }
@sometorin @OpenPolicyAgent allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA builds an index from simplified rules. input.resource input.operation input.user ... ... "read" "write" "/widgets" "alice" "bob" input.resource Rule Indexing Rule Rule
@sometorin @OpenPolicyAgent OPA uses the index to quickly find applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource Query allow Input { "user": "alice", "resource": "/widgets", "operation": "read" }
@sometorin @OpenPolicyAgent OPA only evaluates applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA ignores these.
@sometorin @OpenPolicyAgent # Roles # Bindings Normal Eval (ms) With Partial Eval (ms) 250 250 5.50 0.0468 500 500 11.87 0.0591 1,000 1,000 21.64 0.0543 2,000 2,000 45.49 0.0624 blog.openpolicyagent.org Partial Evaluation https://goo.gl/X6Qu6u Rule Indexing https://goo.gl/uoSw3U
@sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
@sometorin @OpenPolicyAgent Use OPA to enforce policy across the stack.
@sometorin @OpenPolicyAgent It's all just data. deny { is_read_operation is_pii_topic not in_pii_consumer_whitelist } operation: Read resource: name: credit-scores resourceType: Topic session: principal: principalType: User name: CN=anon_producer,O=OPA clientAddress: 172.21.0.5 deny { not metadata.labels["qa-signoff"] metadata.namespace == "prod" spec.containers[_].privileged } metadata: name: nginx-149353-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true nodeName: minikube allow { input.method = "GET" input.path = ["salary", user] input.user = user } method: GET path: /salary/bob service.source: namespace: production service: landing_page service.target: namespace: production service: details user: alice allow { score = risk_budget count(plan_names["aws_iam"]) == 0 blast_radius < 500 } aws_autoscaling_group.lamb: availability_zones#: '1' availability_zones.3205: us-west-1a desired_capacity: '4' launch_configuration: kitten wait_for_capacity_timeout: 10m aws_instance.puppy: ami: ami-09b4b74c instance_type: t2.micro
@sometorin @OpenPolicyAgent ● Complex environment ○ >1,000 services ○ Many resource and identity types ○ Many protocols, languages, etc. ● Key requirements ○ Low latency ○ Flexible policies ○ Ability to capture intent ● Using OPA across the stack ○ HTTP and gRPC APIs ○ Kafka producers ○ SSH (coming soon) User Study: Netflix How Netflix is Solving Authorization Across Their Cloud (KubeCon US 2017)
@sometorin @OpenPolicyAgent orchestrator API ssh app host container dbcloud 20+ companies using OPA. Financial institutions, service providers, IT companies, software vendors, etc. Used across the stack. Microservices, orchestration, provisioning, host daemons, data layer, security groups, etc. Bring more use cases. RBAC, ABAC, admission control, data protection, risk management, rate liming, auditing, etc.
@sometorin @OpenPolicyAgent Demo
@sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
@sometorin @OpenPolicyAgent Try tutorials at openpolicyagent.org HTTP API Authorization Admission Control Risk Management SSH and sudoData Protection
@sometorin @OpenPolicyAgent Leverage OPA to solve fundamental policy and security problems.
@sometorin @OpenPolicyAgent Thank You! open-policy-agent/opa Star us on GitHub.

Empfohlen

Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
Knoldus Inc.
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 

Empfohlen

Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
Torin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
Knoldus Inc.
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy Agent
Nordic APIs
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy Agent
Torin Sandall
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case Survey
Torin Sandall
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
Abhishek Koserwal
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
Knoldus Inc.
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
Knoldus Inc.
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
Tatsuo Kudo
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
Julien Pivotto
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
Michael Furman
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
Yohann Ciurlik
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
Vladimir Dzhuvinov
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
Ravi Yasas
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
OAuth
OAuthOAuth
OAuth
Iván Fernández Perea
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
Amazon Web Services Korea
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツー
Masaru Kurahayashi
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
Atlassian
 

Weitere ähnliche Inhalte

Was ist angesagt?

Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Matt Tesauro
 

Was ist angesagt? (20)

Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
 
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
FAPI (Financial-grade API) and CIBA (Client Initiated Backchannel Authenticat...
 
SIngle Sign On with Keycloak
SIngle Sign On with KeycloakSIngle Sign On with Keycloak
SIngle Sign On with Keycloak
 
OpenId Connect Protocol
OpenId Connect ProtocolOpenId Connect Protocol
OpenId Connect Protocol
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdfHacking and Defending APIs - Red and Blue make Purple.pdf
Hacking and Defending APIs - Red and Blue make Purple.pdf
 
Introduction to Kong API Gateway
Introduction to Kong API GatewayIntroduction to Kong API Gateway
Introduction to Kong API Gateway
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
Keycloak Single Sign-On
Keycloak Single Sign-OnKeycloak Single Sign-On
Keycloak Single Sign-On
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler WebinarKeycloak for Science Gateways - SGCI Technology Sampler Webinar
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
 
OAuth
OAuthOAuth
OAuth
 
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API VulnerabilitiesBlack and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
Black and Blue APIs: Attacker's and Defender's View of API Vulnerabilities
 
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
AWS Builders - Industry Edition: DevSecOps on AWS - 시작은 IAM 부터
 
安全なID連携のハウツー
安全なID連携のハウツー安全なID連携のハウツー
安全なID連携のハウツー
 

Ähnlich wie OPA: The Cloud Native Policy Engine

How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connections Developers
 
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoAgile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Moldova ICT Summit
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
Pierre Vincent
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
James Gallagher
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
colleenfry
 
OpenSocial Intro
OpenSocial IntroOpenSocial Intro
OpenSocial Intro
Pamela Fox
 

Ähnlich wie OPA: The Cloud Native Policy Engine (20)

How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoAgile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai Shevchenko
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
 
OpenSocial Intro
OpenSocial IntroOpenSocial Intro
OpenSocial Intro
 
Back to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDBBack to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDB
 
Chaos Engineering Kubernetes
Chaos Engineering KubernetesChaos Engineering Kubernetes
Chaos Engineering Kubernetes
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
 
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence ArchitectureMongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Supercharging your Organic CTR
Supercharging your Organic CTRSupercharging your Organic CTR
Supercharging your Organic CTR
 
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
 
Documentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetariansDocumentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetarians
 

Kürzlich hochgeladen

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 

Kürzlich hochgeladen (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 

OPA: The Cloud Native Policy Engine

  • 2. @sometorin @OpenPolicyAgent Torin Sandall @sometorin ● Open Policy Agent co-founder and core contributor ● Istio and Kubernetes policy-related features ● ❤ good restaurants Copenhagen
  • 5. @sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
  • 6. @sometorin @OpenPolicyAgent Treat policy as a separate concern. ...just like DB, messaging, monitoring, logging, orchestration, CI/CD...
  • 7. @sometorin @OpenPolicyAgent Gain better control and visibility over policy throughout your system.
  • 9. @sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
  • 10. @sometorin @OpenPolicyAgent Policy enforcement is a fundamental problem for your organization.
  • 11. @sometorin @OpenPolicyAgent Tribal knowledge provides NO guarantee that policies are being enforced. "Tribal knowledge" is the know-how or collective wisdom of the organization.
  • 12. @sometorin @OpenPolicyAgent It is expensive and painful to maintain policy decisions that are hardcoded into the app.
  • 13. @sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) OPA is an open source, general-purpose policy engine. Policy Query Policy Decision
  • 14. @sometorin @OpenPolicyAgent Decisions are decoupled from enforcement. Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement
  • 15. @sometorin @OpenPolicyAgent OPA is a host-local cache for policy decisions. Node Service OPA Node Service OPA
  • 16. @sometorin @OpenPolicyAgent Node Service OPA Node Service OPA Node Service Node Host Failures OPA Node Service Node Network Partitions OPA Network Network Fate Sharing ✔ Low latency ✔ High availability
  • 17. @sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) Policy Query Policy Decision Policy and data are stored in-memory. No runtime dependencies during enforcement. Enforcement
  • 19. @sometorin @OpenPolicyAgent details service reviews service ratings service landing page service
  • 21. @sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Demo Policy "Employees can see their own reviews and the reviews of their subordinates." "Employees can see their own PII. HR can also see PII."
  • 22. @sometorin @OpenPolicyAgent Declarative Language (Rego) ● Is user X allowed to call operation Y on resource Z? ● Which annotations must be added to new Deployments? ● Which users can SSH into production machines?
  • 23. @sometorin @OpenPolicyAgent "Employees may read their own reviews and the reviews of their subordinates."
  • 24. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]"
  • 25. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
  • 26. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
  • 27. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "bob" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
  • 28. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "bob" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
  • 29. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "Employees may read their own reviews [...]" "alice" instead of "bob"
  • 30. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
  • 31. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read [...] the reviews of their subordinates." Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
  • 32. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 33. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = data.manager_of[employee_id] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 34. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = data.manager_of["bob"] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 35. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "alice" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 36. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "alice" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 39. @sometorin @OpenPolicyAgent RBAC is not enough. "QA must sign-off on images deployed to the production namespace." "Analysts can read client data but PII must be redacted." "Restrict employees from accessing the service outside of work hours." "Allow all HTTP requests from 10.1.2.0/24." "Restrict ELB changes to senior SREs that are on-call." "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU."
  • 41. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer
  • 42. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user
  • 43. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation
  • 44. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
  • 45. @sometorin @OpenPolicyAgent Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Find bindings and roles that match input. This rule searches over the RBAC data. allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
  • 46. @sometorin @OpenPolicyAgent Partial Evaluation: rules + data ⇒ simplified rules allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role } Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Partial Eval allow = true { input.user = "bob" input.resource = "/widgets" input.operation = "write" } allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" }
  • 47. @sometorin @OpenPolicyAgent allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA builds an index from simplified rules. input.resource input.operation input.user ... ... "read" "write" "/widgets" "alice" "bob" input.resource Rule Indexing Rule Rule
  • 48. @sometorin @OpenPolicyAgent OPA uses the index to quickly find applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource Query allow Input { "user": "alice", "resource": "/widgets", "operation": "read" }
  • 49. @sometorin @OpenPolicyAgent OPA only evaluates applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA ignores these.
  • 50. @sometorin @OpenPolicyAgent # Roles # Bindings Normal Eval (ms) With Partial Eval (ms) 250 250 5.50 0.0468 500 500 11.87 0.0591 1,000 1,000 21.64 0.0543 2,000 2,000 45.49 0.0624 blog.openpolicyagent.org Partial Evaluation https://goo.gl/X6Qu6u Rule Indexing https://goo.gl/uoSw3U
  • 51. @sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
  • 52. @sometorin @OpenPolicyAgent Use OPA to enforce policy across the stack.
  • 53. @sometorin @OpenPolicyAgent It's all just data. deny { is_read_operation is_pii_topic not in_pii_consumer_whitelist } operation: Read resource: name: credit-scores resourceType: Topic session: principal: principalType: User name: CN=anon_producer,O=OPA clientAddress: 172.21.0.5 deny { not metadata.labels["qa-signoff"] metadata.namespace == "prod" spec.containers[_].privileged } metadata: name: nginx-149353-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true nodeName: minikube allow { input.method = "GET" input.path = ["salary", user] input.user = user } method: GET path: /salary/bob service.source: namespace: production service: landing_page service.target: namespace: production service: details user: alice allow { score = risk_budget count(plan_names["aws_iam"]) == 0 blast_radius < 500 } aws_autoscaling_group.lamb: availability_zones#: '1' availability_zones.3205: us-west-1a desired_capacity: '4' launch_configuration: kitten wait_for_capacity_timeout: 10m aws_instance.puppy: ami: ami-09b4b74c instance_type: t2.micro
  • 54. @sometorin @OpenPolicyAgent ● Complex environment ○ >1,000 services ○ Many resource and identity types ○ Many protocols, languages, etc. ● Key requirements ○ Low latency ○ Flexible policies ○ Ability to capture intent ● Using OPA across the stack ○ HTTP and gRPC APIs ○ Kafka producers ○ SSH (coming soon) User Study: Netflix How Netflix is Solving Authorization Across Their Cloud (KubeCon US 2017)
  • 55. @sometorin @OpenPolicyAgent orchestrator API ssh app host container dbcloud 20+ companies using OPA. Financial institutions, service providers, IT companies, software vendors, etc. Used across the stack. Microservices, orchestration, provisioning, host daemons, data layer, security groups, etc. Bring more use cases. RBAC, ABAC, admission control, data protection, risk management, rate liming, auditing, etc.
  • 57. @sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
  • 58. @sometorin @OpenPolicyAgent Try tutorials at openpolicyagent.org HTTP API Authorization Admission Control Risk Management SSH and sudoData Protection
  • 59. @sometorin @OpenPolicyAgent Leverage OPA to solve fundamental policy and security problems.