Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beyond Entitlements for the Cloud Native

Beyond Entitlements for the Cloud Native

A Policy Engine is a tool that allows for checking user privileges as well as evaluate a responsibility matrix based on dynamic data for a given user. A Policy Engine is not only an Entitlement Management System but also provides for functional evaluation of conditions that result in deterministic responsibilities for a given user or actor.

This session shows how to utilize Open Policy Agent with Spring Boot and HOCON to produce a responsibility management solution that scales to volume and performance needs.

Some hiccups that were faced while deriving the most optimal solution are also highlighted. A short explanation of some tooling built for validating the policy files in the IDE will also be discussed.

Chandra Guntur

August 05, 2020
Tweet

More Decks by Chandra Guntur

Other Decks in Technology

Transcript

  1. Information Classification: Public
    Beyond Entitlements for Cloud Native
    Scalable Responsibility Management with Spring Boot and Open Policy Agent
    C h a n d r a G u n t u r
    Bank of New York Mellon
    August 2020

    View full-size slide

  2. Information Classification: Public
    2
    Disclosure
    BNY Mellon is the corporate brand of The Bank of New York Mellon Corporation and may be used as
    a generic term to reference the corporation as a whole and/or its various subsidiaries generally.
    Products and services may be provided under various brand names in various countries by duly
    authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon
    Corporation. Not all products and services are offered in all countries.
    BNY Mellon will not be responsible for updating any information contained within this material and
    opinions and information contained herein are subject to change without notice.
    BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this
    material. This material may not be reproduced or disseminated in any form without the express prior
    written permission of BNY Mellon.
    ©2020 The Bank of New York Mellon Corporation. All rights reserved.

    View full-size slide

  3. Information Classification: Public
    3
    About :: Chandra Guntur
    • Technologist in the financial services industry since 2003 and is programming with Java since 1998.
    • Chandra Guntur is a Director and Sr. Principal Architect in Java Platform Engineering, BNY Mellon.
    • BNY Mellon representative in the Java Community Process (JCP) Executive Committee.
    • Java Champion
    • JUG Leader, at NYJavaSIG (New York Java Special Interest Group) and NJ Java SIG.
    • Frequent speaker at: Oracle CodeOne, Oracle Code NY, QCon New York, Devnexus and GIDS India.

    View full-size slide

  4. Information Classification: Public
    4
    Agenda
    • Responsibility Management
    • Technology Choices
    • HOCON, Open Policy Agent, Spring Boot, Eclipse Collections
    • Architecture
    • Code Samples
    • OPA Policy Authoring Plugin for IntelliJ IDEA

    View full-size slide

  5. Information Classification: Public
    Responsibility Management for the Enterprise
    - A Rationale

    View full-size slide

  6. Information Classification: Public
    Responsibility Management System
    Scenarios

    View full-size slide

  7. Information Classification: Public
    7
    Why Responsibility Management – Scenario 1
    • Service A needs to know if a user is a member of an enterprise LDAP Group
    • Access may be granted based on membership.
    • Access may be denied based on membership.
    • Access may be granted based on lack of membership.
    • Access may be denied based on lack of membership.
    LDAP Group

    View full-size slide

  8. Information Classification: Public
    7
    Why Responsibility Management – Scenario 1
    • Service A needs to know if a user is a member of an enterprise LDAP Group
    • Access may be granted based on membership.
    • Access may be denied based on membership.
    • Access may be granted based on lack of membership.
    • Access may be denied based on lack of membership.
    Then …
    LDAP Group
    • Service B needs to know if a user is a member of an enterprise LDAP Group

    View full-size slide

  9. Information Classification: Public
    7
    Why Responsibility Management – Scenario 1
    • Service A needs to know if a user is a member of an enterprise LDAP Group
    • Access may be granted based on membership.
    • Access may be denied based on membership.
    • Access may be granted based on lack of membership.
    • Access may be denied based on lack of membership.
    Then …
    Questions
    • How about Service/Application C, D or E ?
    • Who manages employees who move/leave/join the department/org/company
    (Movers/Leavers/Joiners)
    LDAP Group
    • Service B needs to know if a user is a member of an enterprise LDAP Group

    View full-size slide

  10. Information Classification: Public
    8
    Why Responsibility Management – Scenario 2
    Email/AD Group
    • Service M needs to know if a user is a member of an enterprise Email/AD Group
    • Access may be granted based on membership.
    • Access may be denied based on membership.
    • Access may be granted based on lack of membership.
    • Access may be denied based on lack of membership.

    View full-size slide

  11. Information Classification: Public
    8
    Why Responsibility Management – Scenario 2
    Email/AD Group
    • Service M needs to know if a user is a member of an enterprise Email/AD Group
    • Access may be granted based on membership.
    • Access may be denied based on membership.
    • Access may be granted based on lack of membership.
    • Access may be denied based on lack of membership.
    Then …
    Questions
    • How about Service/Application O, P or Q ?
    • Who manages employees who move/leave/join the department/org/company
    (Movers/Leavers/Joiners)
    • Service N needs to know if a user is a member of an enterprise Email/AD Group

    View full-size slide

  12. Information Classification: Public
    9
    Why Responsibility Management – Scenario 3
    More complex evaluations occur as well.
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Service X needs to check if all of the below are true for a user:

    View full-size slide

  13. Information Classification: Public
    9
    Why Responsibility Management – Scenario 3
    More complex evaluations occur as well.
    • is member of LDAP Group 1
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Service X needs to check if all of the below are true for a user:

    View full-size slide

  14. Information Classification: Public
    9
    Why Responsibility Management – Scenario 3
    More complex evaluations occur as well.
    • is member of LDAP Group 1
    • is not member of LDAP Group 2
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Service X needs to check if all of the below are true for a user:

    View full-size slide

  15. Information Classification: Public
    9
    Why Responsibility Management – Scenario 3
    More complex evaluations occur as well.
    • is member of LDAP Group 1
    • is not member of LDAP Group 2
    • is member of Email Group 1
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Service X needs to check if all of the below are true for a user:

    View full-size slide

  16. Information Classification: Public
    9
    Why Responsibility Management – Scenario 3
    More complex evaluations occur as well.
    • is member of LDAP Group 1
    • is not member of LDAP Group 2
    • is member of Email Group 1
    • is allowed to request an order of the amount USD 200,000
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Service X needs to check if all of the below are true for a user:

    View full-size slide

  17. Information Classification: Public
    9
    Why Responsibility Management – Scenario 3
    More complex evaluations occur as well.
    • is member of LDAP Group 1
    • is not member of LDAP Group 2
    • is member of Email Group 1
    • is allowed to request an order of the amount USD 200,000
    • has at least two direct reports
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Service X needs to check if all of the below are true for a user:

    View full-size slide

  18. Information Classification: Public
    10
    Why Responsibility Management – Scenario 3 - Continued
    LDAP Group 1 LDAP Group 2 Email Group 1
    $$$$
    ≥ USD 200,000
    Direct Reports
    Questions
    • What if each request is for different sets of
    groups and/or amounts?
    • What if other services have similar functional
    constraints with different values?
    • Where are such policies maintained, are they
    auditable and follow Config Management guidelines ?
    • Who manages Mover/Leaver/Joiner employees?

    View full-size slide

  19. Information Classification: Public
    11
    Why Responsibility Management – Scenario 4
    Service Y needs to check responsibility privileges for a user/subject:
    Domain
    organization
    environment
    action
    resource

    View full-size slide

  20. Information Classification: Public
    11
    Why Responsibility Management – Scenario 4
    Service Y needs to check responsibility privileges for a user/subject:
    • in a given domain (Infra or Shared - service or tool)
    Domain
    organization
    environment
    action
    resource

    View full-size slide

  21. Information Classification: Public
    11
    Why Responsibility Management – Scenario 4
    Service Y needs to check responsibility privileges for a user/subject:
    • in a given domain (Infra or Shared - service or tool)
    • for a given cost code identifier or org. business unit ($)
    Domain
    organization
    environment
    action
    resource

    View full-size slide

  22. Information Classification: Public
    11
    Why Responsibility Management – Scenario 4
    Service Y needs to check responsibility privileges for a user/subject:
    • in a given domain (Infra or Shared - service or tool)
    • for a given cost code identifier or org. business unit ($)
    • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …)
    Domain
    organization
    environment
    action
    resource

    View full-size slide

  23. Information Classification: Public
    11
    Why Responsibility Management – Scenario 4
    Service Y needs to check responsibility privileges for a user/subject:
    • in a given domain (Infra or Shared - service or tool)
    • for a given cost code identifier or org. business unit ($)
    • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …)
    • for a given action (e.g. EDIT, DELETE, CREATE …)
    Domain
    organization
    environment
    action
    resource

    View full-size slide

  24. Information Classification: Public
    11
    Why Responsibility Management – Scenario 4
    Service Y needs to check responsibility privileges for a user/subject:
    • in a given domain (Infra or Shared - service or tool)
    • for a given cost code identifier or org. business unit ($)
    • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …)
    • for a given action (e.g. EDIT, DELETE, CREATE …)
    • for a given resource (e.g. org.databases.prod.instance1.schema1)
    Domain
    organization
    environment
    action
    resource

    View full-size slide

  25. Information Classification: Public
    12
    Why Responsibility Management – Scenario 4 - Continued
    Domain
    organization
    environment
    action
    resource
    Questions
    • What if each request is for different sets of values
    for the given domain?
    • What if other services have similar functional
    constraints with different values?
    • Who manages Role-Responsibility per domain
    and User-Role Mappings?
    • Who manages Mover/Leaver/Joiner employees ?

    View full-size slide

  26. Information Classification: Public
    Responsibility Management System
    Common Solutions

    View full-size slide

  27. Information Classification: Public
    14
    Responsibility Management – Common Solutions – For Data
    DATA - External Services / Persistence
    • LDAP/Active directory queried by the application/service via direct connections.
    • User approver/manager is queried via proprietary corporate directory services.
    • Role-Responsibility mappings are usually stored in local persistence of the domain.
    • User-Role mappings usually stored in any of: local persistence, proprietary systems.

    View full-size slide

  28. Information Classification: Public
    15
    Responsibility Management – Common Solutions – For Functions
    LOGIC - Calculations / Functions
    • Complex functions/calculations are coded into the application/service.
    • Newer applications/services may separate such as an independent microservice.
    • Some applications/services utilize embedded rule engines such as Drools.
    • Some applications/services utilize proprietary entitlement systems for evaluations.

    View full-size slide

  29. Information Classification: Public
    Responsibility Management Service
    A solution to manage dynamic privileges and entitlements

    View full-size slide

  30. Information Classification: Public
    17
    Responsibility Management Cycle
    Responsibility Management is performed via policies
    Policies have a lifecycle
    Policy
    Administration
    (Authoring &
    Storage)
    Policy
    Distribution
    (Dissemination)
    Policy
    Decision
    (Evaluation)
    Policy
    Enforcement
    (Usage)
    Policy
    Reconciliation
    (Maintenance)
    More detailed flow: Appendix

    View full-size slide

  31. Information Classification: Public
    18
    Responsibility Management System (RMS) – The Right Solution
    A Responsibility Management System that:
    • federates the calls to LDAP, Active Directory, and other services as integrated services
    • provides appropriate mapping of roles and responsibilities, per domain
    • provides for user to role mapping, per organization per domain
    • provides proper SDLC and audit mechanism for policies per domain, to author and deploy
    . . .

    View full-size slide

  32. Information Classification: Public
    19
    Responsibility Management System (RMS) – The Right Solution - Continued
    A Responsibility Management System that:
    • provides for a built-in policy engine to evaluate complex calculations/functions using:
    • data provided as inputs by service-consumer
    • data queried from integrated services
    • policies provided by the domains
    • caters to applying a mover/leaver/joiner logic to all controlled datasets
    • provides horizontal scaling and thus, high availability for varying request volumes

    View full-size slide

  33. Information Classification: Public
    20
    Before RMS
    Custom Service
    DROOLS
    APP a
    APP b
    APP n
    Entitlement
    System URM
    DB
    RRM
    Roles
    System RRM
    App
    Logic
    App
    Logic
    App
    Logic
    APP m
    App
    Logic
    LDAP Client
    User Svc Client
    User Svc Client
    AD Client
    User Svc Client
    LDAP Client
    AD Client
    LDAP
    AD
    User Svc
    URM via service, RRM via persistence
    URM via persistence, RRM via service
    Custom Service for policies
    URM via persistence, RRM via persistence
    Batch job to manage Users.
    URM via persistence, RRM via persistence
    Drools rules for policies
    DB
    URM
    DB
    URM
    RRM
    DB
    URM
    RRM
    . . .
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  34. Information Classification: Public
    20
    Before RMS
    Custom Service
    DROOLS
    APP a
    APP b
    APP n
    Entitlement
    System URM
    DB
    RRM
    Roles
    System RRM
    App
    Logic
    App
    Logic
    App
    Logic
    APP m
    App
    Logic
    LDAP Client
    User Svc Client
    User Svc Client
    AD Client
    User Svc Client
    LDAP Client
    AD Client
    LDAP
    AD
    User Svc
    URM via service, RRM via persistence
    URM via persistence, RRM via service
    Custom Service for policies
    URM via persistence, RRM via persistence
    Batch job to manage Users.
    URM via persistence, RRM via persistence
    Drools rules for policies
    Decentralized Policies.
    Auditing is per-app.
    Bespoke User Mgmt.
    DB
    URM
    DB
    URM
    RRM
    DB
    URM
    RRM
    . . .
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  35. Information Classification: Public
    21
    Post-RMS visualized
    APP a
    APP b
    APP n
    App
    Logic
    App
    Logic
    App
    Logic
    APP m
    App
    Logic
    LDAP
    AD
    User Svc
    R
    M
    S
    RMS Client
    RMS Client
    RMS Client
    RMS Client
    DB
    DB
    DB
    DB
    . . .
    Policy Policy
    . . .
    Policy Policy
    Custom Service
    DROOLS
    Entitlement
    System URM
    Roles
    System RRM
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  36. Information Classification: Public
    21
    Post-RMS visualized
    APP a
    APP b
    APP n
    App
    Logic
    App
    Logic
    App
    Logic
    APP m
    App
    Logic
    LDAP
    AD
    User Svc
    Centralized Policies.
    Centralized Auditing.
    Centralized User Mgmt.
    R
    M
    S
    RMS Client
    RMS Client
    RMS Client
    RMS Client
    DB
    DB
    DB
    DB
    . . .
    Policy Policy
    . . .
    Policy Policy
    Custom Service
    DROOLS
    Entitlement
    System URM
    Roles
    System RRM
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  37. Information Classification: Public
    Technologies Used
    Technology choices for building the Responsibility Management Service

    View full-size slide

  38. Information Classification: Public
    23
    Payload format: HOCON: Use case
    A Case for using Human-Optimized Configuration Object Notation
    • Intent is to expose GET/POST operations.
    • POST operations allow for a request body but do not support meaningful caching.
    • Policy decisions should be queried (non-mutating), thus logically GET operations.
    • GET operations do not support a request body.
    • GET operations may be exposed to character limits, large parameter content not possible.
    • JSON and individual query parameters are quite verbose.
    • HOCON * trims the parameter verbosity by a significant amount.
    https://github.com/lightbend/config/blob/master/HOCON.md

    View full-size slide

  39. Information Classification: Public
    24
    Payload format: HOCON: Benefits
    Benefits of using Human-Optimized Configuration Object Notation
    https://github.com/lightbend/config/blob/master/HOCON.md
    HOCON (see link below)
    • syntax is quite simple and has low ambiguity.
    • is a superset of JSON. JSON is parsed properly by HOCON parsers.
    • allows the use of comments.
    • allows multi-line strings.
    • allows for includes and substitutions.
    • has built-in durations (5d or 100ms)

    View full-size slide

  40. Information Classification: Public
    25
    Payload format: HOCON: Features
    Human-Optimized Configuration Object Notation - using includes and substitutions
    https://github.com/lightbend/config/blob/master/HOCON.md
    generic.conf
    {x: 10, y: ${x}, z: 5s}
    my.conf
    {a : { include “generic.conf” } }
    a.x = 10
    a.y = 10
    a.z = 5s
    https://github.com/lightbend/config/blob/master/HOCON.md
    Substitution
    Inclusion

    View full-size slide

  41. Information Classification: Public
    foo : {
    bar : {
    baz: myvalue
    }
    }
    employee: {
    firstname: ”Jane"
    lastname: ”Doe"
    nested: {
    loginTimeoutInMilliSeconds: 5000
    }
    fullname: “Jane Doe”
    }
    standard-policy: {
    developer: "yes"
    operator: false
    }
    26
    Payload format: HOCON: Comparing to JSON
    Human-Optimized Configuration Object Notation - sample comparisons to JSON
    Sample JSON Sample HOCON
    foo.bar.baz: myvalue
    ---- Or ----
    foo { bar { baz: myvalue}}
    employee {
    firstname: ”Jane"
    lastname: ”Doe"
    nested {
    loginTimeout: 5s
    }
    fullname: ${employee.firstname} ${employee.lastname}
    }
    standard-policy {
    developer: "yes"
    operator: false
    }

    View full-size slide

  42. Information Classification: Public
    27
    Java Collections Library: Eclipse Collections
    Key highlights
    Eclipse Collections (see link below)
    • Rich, concise and readable APIs.
    • Clear mutable and immutable hierarchies for collection types.
    • Memory efficient containers.
    • Optimized eager APIs instead of Java Collection Framework’s lazy APIs.
    • Improved code readability.
    • Ease of learning thanks to several Code Katas.
    https://www.eclipse.org/collections/

    View full-size slide

  43. Information Classification: Public
    28
    Policy Engine: Open Policy Agent
    Key highlights
    • Open Policy Agent (OPA) (see link below)
    is an open source general purpose policy engine.
    • Uses “rego” (inspired by Datalog) as a declarative native query language.
    • Policies are written as rulesets (similar to functions).
    • Policies can be queried as RESTful POST operations.
    • Data and policy publishing is via RESTful PUT operations.
    • Can be launched as a library for a service, an independent daemon or as a sidecar.
    • Decision in RMS was to use OPA as a sidecar.
    https://www.openpolicyagent.org/

    View full-size slide

  44. Information Classification: Public
    29
    Open Policy Agent: Usage Pattern
    Open Policy
    Agent
    Service 1
    Query
    +
    Data
    Decision
    [
    {
    "name": "bucket1",
    "clients": [
    {
    "name": ”client1",
    "access": ["READ”, “WRITE”]
    },
    {
    "name": ”client2",
    "access": ["WRITE"]
    }
    ]
    },
    {
    "name": "bucket2",
    "clients": [
    {
    "name": ”client1",
    "access": [”READ"]
    }
    ]
    }
    ]
    package domain1.policy1
    import data.domain1.policy1.buckets
    default allow = false
    allow {
    buckets[i].name == input.bucket
    buckets[i].clients[j].name == input.client
    buckets[i].clients[j].access[k] == input.access
    }
    {
    input {
    bucket: "bucket2",
    client: ”client1",
    access: "READ"
    }
    }
    http://localhost:8181/v1/data/dom
    ain1/policy1/allow
    Policy
    Data
    Sidecar
    Query Payload
    data.json
    policy.rego

    View full-size slide

  45. Information Classification: Public
    Architecting the Responsibility Management System
    A platform solution for Responsibility Management

    View full-size slide

  46. Information Classification: Public
    Responsibility Management System
    Architecture (Version 1)
    A Federated Responsibility Management Service

    View full-size slide

  47. Information Classification: Public
    32
    RMS Architecture - Version 1: Federated
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  48. Information Classification: Public
    32
    RMS Architecture - Version 1: Federated
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    User
    Service
    LDAP
    AD
    RMS Service
    Policy Information
    Points (PIPs)
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  49. Information Classification: Public
    32
    RMS Architecture - Version 1: Federated
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Responsibility Management
    User
    Service
    LDAP
    AD
    RMS Service
    Policy Information
    Points (PIPs)
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  50. Information Classification: Public
    32
    RMS Architecture - Version 1: Federated
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository Open Policy Agent
    Responsibility Management
    User
    Service
    LDAP
    AD
    RMS Service
    Pull
    Policy Information
    Points (PIPs)
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  51. Information Classification: Public
    32
    RMS Architecture - Version 1: Federated
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository Open Policy Agent
    Responsibility Management
    User
    Service
    LDAP
    AD
    RMS Service
    Pull
    Policy Information
    Points (PIPs)
    Service 1
    . . .
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  52. Information Classification: Public
    33
    Federated Architecture: Issues Faced
    Key issues
    • Segregation and information-barrier needs implied more work.
    • A rogue policy script could lead to loss of service for all domains.
    • RM Service became the gatekeeper for testing and coverage.
    • RM Service had to establish a release-train model to pick up new policies.
    • Out-of-band policy changes lead to intermittent service-unavailability.
    • Observation: Policy changes were more frequent when a new domain onboards.

    View full-size slide

  53. Information Classification: Public
    Responsibility Management System
    Architecture (Version 2)
    A Distributed Responsibility Management Service

    View full-size slide

  54. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  55. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  56. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Role/Resp., User/Role Mappings
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  57. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  58. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  59. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Bundles
    Repository
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  60. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Distribution
    Service (PDS)
    Policy
    Bundles
    Repository
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  61. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Distribution
    Service (PDS)
    Policy
    Bundles
    Repository
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  62. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Distribution
    Service (PDS)
    Policy
    Bundles
    Repository
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    Open Policy
    Agent
    Open Policy
    Agent
    Open Policy
    Agent
    Sidecar Sidecar Sidecar
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  63. Information Classification: Public
    35
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Distribution
    Service (PDS)
    Policy
    Bundles
    Repository
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    Open Policy
    Agent
    Open Policy
    Agent
    Open Policy
    Agent
    Policy Bundles
    Policy Reference Data
    Sidecar Sidecar Sidecar
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  64. Information Classification: Public
    36
    Benefits of a Distributed Policy Management Architecture
    Comparing Version 1 (federated single policy engine) with Version 2 (distributed policy engines)
    V1 Federated Policy Engine V2 Distributed Policy Engine
    Segregation and Information Barriers Requires additional work Is implicit, no additional work
    Impact of a rogue policy script Outage for all domains Outage only for the specific domain
    Gatekeeping for testing and coverage Requires RMS to be the gatekeeper Requires domain to be the gatekeeper
    Strategy for new and updated policies Needed a Release Train model A domain can push policies on-demand
    Impact of ad-hoc policy changes RMS Downtime for all domains RMS Downtime for the changed domain
    Implicit RBAC Support - Available

    View full-size slide

  65. Information Classification: Public
    37
    Policy Bundles Repository
    Policy bundles repository stored enriched policy archives.
    Enriched policy bundles are archives that contain:
    • Policy file(s), specific to the domain.
    • Policy static data, specific to the domain.
    • Standard RMS OPA policy rego files common across all domains.

    View full-size slide

  66. Information Classification: Public
    38
    Policy Bundles Repository
    Folder structure in policy bundles repository :
    -
    -
    -
    -
    Example:
    - domain1
    - policy1
    - 1.0.0
    - enriched-opa-bundle.tar.gz

    View full-size slide

  67. Information Classification: Public
    39
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Distribution
    Service (PDS)
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    Open Policy
    Agent
    Open Policy
    Agent
    Open Policy
    Agent
    Policy Bundles
    Policy Reference Data
    Sidecar Sidecar Sidecar
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping

    View full-size slide

  68. Information Classification: Public
    39
    RMS Architecture - Version 2: Distributed
    RMS Service Consumers
    Domain 1
    Dev
    SCM
    Build
    Server
    Policy Setup Process
    Domain 2
    Dev
    SCM
    Build
    Server
    . . .
    Domain 4
    Policy 1
    tar.gz
    Domain 3
    Policy 1
    tar.gz
    Domain 2
    Policy 1
    tar.gz
    Domain 1
    Policy 1
    Domain x
    Policy 1
    Domain 2
    Policy 1
    Rule
    Repository
    Policy
    Administration
    Service (PAS)
    Service 1
    . . .
    User
    Service
    LDAP
    AD
    RMS Service
    Policy
    Information
    Points (PIPs)
    Policy
    Distribution
    Service (PDS)
    Publish Policy
    Role/Resp., User/Role Mappings
    Role/Resp. (RR), User/Role (UR)
    Mappings
    Policy Bundles
    Policy + RR & UR Mappings
    Service 2 Service x
    Open Policy
    Agent
    Open Policy
    Agent
    Open Policy
    Agent
    Policy Bundles
    Policy Reference Data
    Sidecar Sidecar Sidecar
    RRM
    URM
    Role
    Service
    RRM
    URM
    Role Responsibility Mapping
    User Role Mapping
    Policy
    Bundles
    Repository

    View full-size slide

  69. Information Classification: Public
    40
    Policy Agent: Setup
    •Open Policy Agent (the executable)
    •Open Policy Agent – Configuration
    •Open Policy Agent – Dockerfile command

    View full-size slide

  70. Information Classification: Public
    41
    Policy Agent: Setup: Configuration Files
    OPA Configuration file (located at ${configPath})
    services:
    - name: domainPolicies
    url: policyDistributionServiceUrl/
    allow_insecure_tls: true
    bundle:
    name: policyDomain/policyName/policyVersion
    service: domainPolicies
    polling:
    min_delay_seconds: minDelaySeconds
    max_delay_seconds: maxDelaySeconds

    View full-size slide

  71. Information Classification: Public
    42
    Policy Agent: Setup: Dockerfile Commands
    OPA launch command (used in the Dockerfile)
    exec ./opa run --server --log-level=debug –c ${configPath}

    View full-size slide

  72. Information Classification: Public
    43
    RBAC Policy Library
    package rbac
    user_has_responsibility(userId, action, resource) {

    role := roles[_]


    responsibility := role.responsibilities[_]

    does_resource_match(resource, responsibility)


    responsibility.actions[_] = action


    is_user_a_member(userId, role)

    }
    is_user_a_member(userId, role) {
    ...

    }
    package application1


    default allow = false


    allow {

    data.rbac.user_has_responsibility(

    input.userid, input.action, 

    input.service)

    }
    {

    "name": ”App User",

    "responsibilities": [

    {

    "resource":

    "service.1",

    "actions": [

    "provision"

    ]

    },

    {

    "resource": 

    "service.2",

    "actions": [

    "provision"

    ]

    }

    ],

    "members": [

    "EVERYONE"

    ]
    }
    {
    "name": ”App Admin",
    "responsibilities": [
    {
    "resource": 

    "regexp:service\\..*",
    "actions": [
    "create",
    "update",
    "delete",
    "view"
    ]
    }
    ],
    "members": [
    "org:abc"
    ]
    }
    Application Policy
    Sample Role Data Excerpts
    rbac.rego
    policy.rego data2.json
    data1.json

    View full-size slide

  73. Information Classification: Public
    OPA IntelliJ Plugin
    A development tool for the Open Policy Agent file authoring

    View full-size slide

  74. Information Classification: Public
    45
    Open Policy Agent: IntelliJ Plugin
    • OPA IntelliJ Plugin is functional work-in-progress policy editor.
    • The editor parses and validates OPA policy.
    • Relies on the OPA language reference linked * below.
    • Can be customized for editor color schemes in IntelliJ.
    • Work continues on indentation, run configurations and variable tracking.
    https://www.openpolicyagent.org/docs/latest/language-reference/

    View full-size slide

  75. Information Classification: Public
    46
    Open Policy Agent: IntelliJ Plugin: Before and After

    View full-size slide

  76. Information Classification: Public
    47
    Open Policy Agent: IntelliJ Plugin: Syntax Validation

    View full-size slide

  77. Information Classification: Public
    48
    Open Policy Agent: IntelliJ Plugin: Syntax Validation - Continued

    View full-size slide

  78. Information Classification: Public
    49
    Open Policy Agent: IntelliJ Plugin: Settings
    Select
    • Preferences
    – Editor
    > Color Scheme
    ▪ Open Policy Agent

    View full-size slide

  79. Information Classification: Public
    50
    Summary
    • Responsibility Management as a Service can resolve issues on several fronts.
    • Choice of a payload format (HOCON over JSON or XML) can help control verbosity.
    • Choice of architecture (federated versus distributed) can help determine resilience.
    • Distributed policy engines can alleviate back-pressure and volume demands.
    • Distributed policy engines can reduce outages and maintenance-related downtimes.
    • Creating a policy editor plugin can help boost productivity.

    View full-size slide

  80. Information Classification: Public
    51
    Links
    • HOCON
    https://github.com/lightbend/config/blob/master/HOCON.md
    • Eclipse Collections
    https://www.eclipse.org/collections/
    • Open Policy Agent
    https://www.openpolicyagent.org/

    View full-size slide

  81. Information Classification: Public
    52
    ?

    View full-size slide

  82. Information Classification: Public
    54
    Appendix: Responsibility Management Cycle
    Enterprise Roles
    and Responsibilities
    Policy
    Authoring
    Policy &
    Static Data
    Policy &
    Static Data
    User/App/Service
    Input Data
    Policy Access
    Review/Certification
    Reference
    Data
    Updated
    Reference
    Data
    Access Fulfillment
    Reference
    Data
    Policy Administration Point
    • Policy Authoring
    • Policy Storage
    • Policy Audit/Report
    Privileged Business
    Functions
    Policy Distribution Point
    • Policy Bundling
    • Policy Distribution
    Policy Evaluation Point
    • Policy Procurement
    • Policy Evaluation
    Policy Enforcement Point
    • Policy Invocation
    • Policy Application
    • Policy Dynamic Inputs
    Policy Information Point
    • Policy Reference Data
    • Policy Entitlements
    • Policy Identities
    Access Reconciliation
    Review & Certification
    • Entitlements Discovery
    • Access Reconciliation
    • Access Certification
    Managed Provisioning
    • Workflows
    • Downstream Fulfillment
    1
    2 3
    3
    3
    Back to referrer slide: Slide 15

    View full-size slide