Upgrade to Pro — share decks privately, control downloads, hide ads and more …

入門Open Policy Agent: Policy as Codeを目指して / introduction-to-open-policy-agent

1f745ff900e1be51aedae18cae76593c?s=47 Kurochan
September 16, 2021

入門Open Policy Agent: Policy as Codeを目指して / introduction-to-open-policy-agent

サイバーエージェントの社内エンジニアカンファレンス CA BASE CAMP 2021で発表した資料です

1f745ff900e1be51aedae18cae76593c?s=128

Kurochan

September 16, 2021
Tweet

Transcript

  1. גࣜձࣾαΠόʔΤʔδΣϯτ AIࣄۀຊ෦ ೖ໳Open Policy Agent Policy as CodeΛ໨ࢦͯ͠ ࠇ࡚ ༏ଠ

  2. ࠇ࡚ ༏ଠ 2015೥౓ ৽ଔೖࣾ AIࣄۀຊ෦ DXຊ෦ ΞϓϦӡ༻ηϯλʔ @kurochan @kuro_m88 ج൫ٕज़੹೚ऀ

    🆕 αΠόʔΤʔδΣϯτ CTO౷ׅࣨ #times_kurochan
  3. ࠓճ͓࿩͢Δ಺༰ • Open Policy Agentͱ͍͏ιϑτ΢ΣΞʹ͍ͭͯͷ঺հ • Open Policy Agent͸ೝՄͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍͕ɺ ΋͏গ͠Ҿ͍ͯʮϙϦγʔʯͱ͍͏ࢹ఺͔Β঺հ

    • ΞϓϦӡ༻ηϯλʔͰಋೖ͢Δ༧ఆ͕͋ΔͷͰ ૝ఆ͍ͯ͠ΔϢʔεέʔεͷ঺հ
  4. 1.Open Policy Agentͱ͸ 2.Policy as Code 3.Open Policy Agentͷ࢖͍ํ 4.Open

    Policy Agentͷ࢖͍ॴ 5.ΞϓϦӡ༻ηϯλʔͰͷ Open Policy Agentͷಋೖ༧ఆ
  5. Open Policy Agentͱ͸

  6. Open Policy Agentͱ͸ • ܰྔͳ൚༻ͷʮϙϦγʔΤϯδϯʯ • ಠཱͯ͠ಈ͔͢͜ͱ΋Ͱ͖Δ͠ɺαʔϏεʹϥΠϒϥϦͱͯ͠౷߹͢Δ͜ͱ΋Մೳ • WebAssembly΋αϙʔτͯͨ͠Γ •

    OPAͱུ͞ΕΔ͜ͱ͕ଟ͍ • ΫΤϦʹରͯ͠ϙϦγʔΛద༻ɺ݁ՌΛੜ੒͢Δ • ϙϦγʔ͸Regoͱ͍͏ݴޠͰੜ੒͢Δ
  7. "Policy"ͱ͸ • ϧʔϧͷू߹ • ೖྗΛ৚݅Ͱൺֱͨ͠Γ • rate limitͷΑ͏ʹಈతʹมΘΔΑ͏ͳ΋ͷͩͬͨΓ • ͦΕΒΛ૊Έ߹ΘͤͨΓ

    • ࠷ऴతʹԿ͔͠ΒͷҙࢥܾఆΛ͢Δ
  8. ϙϦγʔΤϯδϯΛ෼཭͢Δͱ͍͏͜ͱ • ϙϦγʔͷ࣮૷͸೉͍͠ • ਖ਼࣮͘͠૷Ͱ͖·͔͢…ʁ • ෳࡶͳϙϦγʔ͸ϙϦγʔࣗମͷڍಈΛςετ͍ͨ͠ • ࠓճ͸ʮϙϦγʔΤϯδϯʯͱ͍͏෦඼͕༷ʑͳϢʔεέʔεʹద༻Մ ೳͰ͋Δ͜ͱΛ͓࿩͠·͢

  9. Policy as Code

  10. Policy as Code • XXX as Code • Infrastructure as

    CodeͳͲ • ϙϦγʔ͸ͦΕࣗମ͕γεςϜͷٕज़తͳ੍໿΍ηΩϡϦςΟͳͲɺ ॏཁͳ஌ࣝΛ಺แ͍ͯ͠Δ • ΞϓϦέʔγϣϯίʔυதʹຒΊࠐ·ΕΔΑΓϙϦγʔͱͯ͠ ಠཱͯ͠ఆٛ͢Δ͜ͱͰ҉໧஌Խ͢Δ͜ͱ΋๷͙͜ͱ͕Ͱ͖Δ
  11. Rego • ϙϦγʔΛهड़͢ΔͨΊͷݴޠ • ߏ଄Խ͞Ε͍ͯͯ֊૚తͳσʔλߏ଄Λ࣋ͯΔ • JSONͷΑ͏ͳߏ଄΋ѻ͑Δ • ϙϦγʔͷద༻݁Ռ΋ಉ༷ʹॊೈͳσʔλߏ଄ͰදݱͰ͖Δ •

    ೖग़ྗͷσʔλߏ଄͕͔ͳΓࣗ༝ • ৚݅ࣜ΍ؔ਺΋ॆ࣮
  12. Regoͷจ๏ྫ • งғؾ͚ͩ঺հ͠·͢ • ਖ਼͍͠จ๏͸ެࣜυΩϡϝϯτΛࢀর͍ͯͩ͘͠͞ https://www.openpolicyagent.org/docs/latest/policy-language/

  13. Regoͷจ๏ྫ: ม਺

  14. Regoͷจ๏ྫ: Object

  15. Regoͷจ๏ྫ: Rule

  16. Regoͷจ๏ྫ: Rule

  17. Regoͷจ๏ྫ: ৚݅ • ࢛ଇԋࢉɺ౳߸ɺෆ౳߸ɺϏοτԋࢉͳͲ͸΋ͪΖΜఆٛ͞Ε͍ͯΔ͕ ͜ΕΒ͸͢΂ͯϏϧτΠϯؔ਺ͱͯ͠ѻΘΕΔ

  18. Regoͷจ๏ྫ: ϏϧτΠϯؔ਺ • Ϗοτԋࢉɺू߹ԋࢉɺਖ਼نදݱɺจࣈྻૢ࡞ • Base64ɺURLɺJSON/YAMLɺUUID • ࣌ࠁ • άϥϑ

    • ωοτϫʔΫ • τʔΫϯ(JWTͳͲ) • ଞʹ΋ศརͳؔ਺͕࠷ॳ͔Βͨ͘͞Μ༻ҙ͞Ε͍ͯΔ
  19. ؆୯ͳྫ • HTTPϦΫΤετͷೝՄ • user "alice" ͸ /hello ʹରͯ͠GETϦΫΤετ͕Ͱ͖Δ

  20. The Rego Playground • ϒϥ΢β্ͰRegoΛॻ͍ͯࢼͤͯศར https://play.openpolicyagent.org/

  21. Testable • ςετ͕ॻ͚Δʂ

  22. Testable • ςετ͕ॻ͚Δʂ

  23. Open Policy Agentͷ࢖͍ํ

  24. REST API

  25. ೝՄػೳΛඋ͑ͨAPI • ೝূͱೝՄ • ೝূ(Authenticate) • ʮ୭ͳͷ͔ʯΛࣝผ͢Δ • ೝՄ(Authorize) •

    ʮԿ͕Ͱ͖Δͷ͔(Ͱ͖ͳ͍ͷ͔)ʯΛ൑அ͢Δ
  26. RBACΛ࣮૷ͯ͠ΈΔ

  27. External Data • ͜͜·Ͱͷྫͩͱuser_roles΍role_permissions૬౰͸ݻఆ • ࣮༻్Ͱ͸ಈతʹมԽͤͨ͞Γ૿ݮ͍ͤͨ͞ • ϙϦγʔΛධՁ͢Δʹ͋ͨͬͯඞཁͳ৘ใΛ֎෦͔Βऔಘ͢Δ࢓૊Έ

  28. ϦΫΤετʹຒΊࠐΉ • ϦΫΤετΛૹ৴͢Δଆ͕෇Ճ৘ใΛૹ৴͢Δ • ΋ͪΖΜૹΒΕͯ͘Δ஋͕৴༻Ͱ͖ͳ͍ͱμϝ • ৴༻Ͱ͖Δͱ͍͏લఏ͔ɺ JWTͳͲͰॺ໊͞Εͨ஋Λݕূͯ͠࢖͏͔ https://www.openpolicyagent.org/docs/latest/external-data/

  29. σʔλΛ౉͢(push) • ֎෦͔Βߋ৽͕͋Δ౓ʹpush͢Δ • ಉظ࿙Εͱ͔ϥά͕ى͖Δͱ͜Θ͍͔΋ • ͋·Γେ͖ͳσʔλ͸஗Εͳ͍ https://www.openpolicyagent.org/docs/latest/external-data/

  30. σʔλΛ΋Β͏(pull) • OPA͕ಈతʹ֎෦ͷAPIΛݺͼग़ͤΔ(B) • OPAͷϨεϙϯελΠϜ͸૿Ճ͢Δ • ॊೈʹ࿈ܞ͠΍ͦ͢͏ https://www.openpolicyagent.org/docs/latest/external-data/

  31. Testing

  32. ςετ • ϙϦγʔͱಉ͡σΟϨΫτϦʹςετϑΝΠϧΛஔ͘ • "test_"Ͱ࢝·Δϧʔϧ͕ධՁ͞ΕɺͦΕ͕ςετʹͳΔ • opa testίϚϯυͰςετ͕࣮ߦͰ͖Δ • ΧόϨοδܭଌ΋Մೳ

  33. ஋ͷϞοΫ • withΩʔϫʔυͰ஋Λஔ͖׵͑ΒΕΔ

  34. Open Policy Agentͷ࢖͍Ͳ͜Ζ

  35. Open Policy Agentͷ࢖͍Ͳ͜Ζ • Kubernetesͷݖݶ؅ཧͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍ҹ৅ • ͦΕҎ֎ͷ༻్Λத৺ʹ঺հ͠·͢

  36. Envoy

  37. Envoyͱ͸ https://speakerdeck.com/kurochan/ru-men-envoy

  38. Envoyͱ͸ • OSSͷL4/L7ϓϩΩγ • ʮϞμϯͳαʔϏεࢦ޲ΞʔΩςΫνϟʯ޲͚ • ʮϢχόʔαϧσʔλϓϨʔϯʯΛ໨ࢦͯ͠։ൃ͞Ε͍ͯΔ • ύϑΥʔϚϯεʹ༏Εɺ֦ுੑ͕ߴ͘ɺAPIܦ༝ͰίϯτϩʔϧՄೳ https://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy

  39. Envoy࿈ܞ • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ https://www.openpolicyagent.org/docs/latest/envoy-introduction/

  40. Envoy࿈ܞ • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ • ೝՄ͞ΕͨτϥϑΟοΫ͔͠௨ա͠ͳ͍ • ޙஈͷΞϓϦέʔγϣϯαʔό౳ͷ࣮૷ָ͕ʹͳΔ

  41. Terraform

  42. TerraformʹϙϦγʔΛద༻͢Δʁ • terraform.analysisͱ͍͏ύοέʔδ͕༻ҙ͞Ε͍ͯΔ • terraform planͷ݁Ռ͕ҙਤ͍ͯ͠Δ͔Ͳ͏͔ͷνΣοΫ͕Ͱ͖Δ • CIͳͲʹ૊ΈࠐΉͱࣄނ๷ࢭͷνΣοΫʹͳΔ • ྫ

    • ෆ༻ҙʹIAMͷઃఆมߋ͕͞Ε͍ͯͳ͍͔ʁ • ࣮ߦͨ͠ਓ͕؅ཧऀͰ͋Ε͹OKͳͲͷίϯςΩετ΋࣋ͨͤΒΕͦ͏ • Ұఆͷᮢ஋Ҏ্ͷมߋ͕Ұ౓ʹͳ͞Ε͍ͯͳ͍͔ʁ • ޡͬͯ؀ڥΛഁյ͞Εͳ͍Α͏ʹͰ͖ͦ͏
  43. Terraform࿈ܞͷྫ • terraform planͷ݁Ռʹରͯ͠ϙϦγʔΛద༻͢Δ

  44. ϩά؂ࢹ

  45. ϩάʹϙϦγʔΛద༻͢ΔͱͲ͏ͳΔͷ͔ • ϩά؂ࢹͰΑ͘΍Δ͜ͱ • ΤϥʔΧ΢ϯτ • ҟৗ஋ͷݕग़ • ෳࡶͳ৚݅Ͱͷϩά؂ࢹ •

    ಛఆͷIPΞυϨε͔Βͷෆਖ਼ͳΞΫηε • S3όέοτͷՄࢹൣғͷઃఆมߋ • ͳͲ • ͦΕɺOPAͰݕग़Ͱ͖ΔͷͰ͸…ʁ • Կ͔ͷҙࢥܾఆΛ͢ΔҎ֎ʹ΋ɺಛఆ৚݅ͷΞΫςΟϏςΟͷݕग़ʹ΋͔ͭ͑Δʂ
  46. ΧελϚΠζ

  47. ͜͜·ͰͰ෼͔ͬͨ͜ͱ • Open Policy Agent͸೚ҙͷೖྗʹରͯ͠ϙϦγʔΛద༻ͨ݁͠ՌΛ ฦ͢ύʔπͱ͔ͯ͠ͳΓ൚༻ੑ͕ߴ͍ • Open Policy AgentΛαʔϏεʹ૊ΈࠐΜͰ࢖͏ʹ͸

    Ͳ͏͢Ε͹Α͍ͷ͔
  48. REST API • input JSONͰPOST͢ΔͱɺϨεϙϯε͕JSONͰฦͬͯ͘Δ

  49. Go API • GolangͷϥΠϒϥϦͱͯ͠ݺͼग़͢͜ͱ͕Մೳ

  50. ΞϓϦӡ༻ηϯλʔͰͷ Open Policy AgentͷಋೖΞΠσΞ

  51. ΞϓϦӡ༻ηϯλʔͱ͸ • 140ஹԁͷڊେࢢ৔ɺখചۀքͷ࠶ൃ໌ʹ௅Ή։ൃϓϩδΣΫτ https://speakerdeck.com/kurochan/retail-dx-project

  52. ΞϓϦӡ༻ηϯλʔͰ։ൃ͍ͯ͠ΔγεςϜͨͪ • ڠಇൢଅ޲͚γεςϜ • ձһΞϓϦ • ECαΠτ • σʔλج൫ •

    ͜ΕΒͷ؅ཧը໘ • ༷ʑͳϙϦγʔͰΞΫηε੍ޚΛ͍ͨ͠
  53. ΞϓϦӡ༻ηϯλʔͱ͸ • খചۀքͷDXΛਪਐ͢ΔϓϩμΫτΛ։ൃ͢Δ෦ॺ • ͍ΖΜͳγεςϜΛ։ൃ͢Δ • ͍ΖΜͳγεςϜ = ͍ΖΜͳAPI •

    ೝূೝՄ͕༷ʑͳγʔϯͰൃੜ͢Δ • ͦΕͧΕϏδωεཁ݅΋ඍົʹҟͳΔͷͰ͖ͪΜͱϧʔϧͱͯ͠؅ཧ͍ͨ͠ • Policy as Codeͷػӡ…ʂ • ೝূ => IdP, ೝՄ => ???
  54. Open Policy AgentΛ༻͍ͨRBAC ڋ൱ ڐՄ ڐՄ ϦιʔεA ϦιʔεB A͞Μ B͞Μ

    σʔλϕʔεͷ஋ͳͲʹԠͯ͡ಈతʹΞΫηεΛڐՄ͢Δ͔൑அ͍ͨ͠
  55. Open Policy AgentΛ༻͍ͨRBAC https://www.openpolicyagent.org/docs/latest/external-data/ • ϢʔβA͕ϦιʔεB΁ͷΞΫηεΛͯ͠Α͍͔͕ಈతʹมΘΔέʔε • External DataΛ༻͍ͯղܾ

  56. ൚༻తͳΞʔΩςΫνϟ • ೝূೝՄͷ͘͠ΈΛςϯϓϨʔτԽ͍ͨ͠ • Envoy + OPA + Backend API

    • Envoy: ೝՄήʔτ΢ΣΠ • OPA: ೝՄϙϦγʔΤϯδϯ • Backend API: ϏδωεϩδοΫ
  57. ൚༻తͳΞʔΩςΫνϟ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ

  58. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ͞ΕΔύλʔϯ

  59. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ͞ΕΔύλʔϯ

  60. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ ڐՄ͞ΕΔύλʔϯ

  61. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ϦΫΤετ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ

    ڐՄ͞ΕΔύλʔϯ
  62. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ϦΫΤετ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ

    ڐՄ͞ΕΔύλʔϯ
  63. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ೝՄ৘ใ ෇Ճ৘ใ ڋ൱ ڋ൱͞ΕΔύλʔϯ

  64. ·ͱΊ

  65. ·ͱΊ • Open Policy Agentͱ͍͏OSSʹ͍ͭͯ঺հ͠·ͨ͠ • ϙϦγʔΤϯδϯͷ൚༻ੑʹ͍ͭͯ঺հ͠·ͨ͠ • ΞϓϦӡ༻ηϯλʔͰͷಋೖΞΠσΞʹ͍͓ͭͯ࿩͠·ͨ͠ •

    ࣮ࡍʹಋೖࣄྫ͕Ͱ͖ͨΒͲ͔͜Ͱൃද͍ͨ͠ͱࢥ͍·͢
  66. ͝ࢹௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ