Upgrade to Pro — share decks privately, control downloads, hide ads and more …

入門Open Policy Agent: Policy as Codeを目指して / introduction-to-open-policy-agent

Kurochan
September 16, 2021
Technology
0
330

入門Open Policy Agent: Policy as Codeを目指して / introduction-to-open-policy-agent

サイバーエージェントの社内エンジニアカンファレンス CA BASE CAMP 2021で発表した資料です

Kurochan

September 16, 2021
Tweet

More Decks by Kurochan

See All by Kurochan
セキュキャンを卒業してその後
kurochan
0
760
サイバーエージェントの実践×実験Snowflake 導入の経緯から最新機能のトライアルまで / How Snowflake Is Used In CyberAgent - Go To the Future
kurochan
0
500
WireGuardとOpenID Connectの連携をGoで実装してみた
kurochan
3
1.8k
140兆円の巨大市場、小売業界の再発明に挑む開発プロジェクト #ca_base_next / retail-dx-project
kurochan
1
1.5k
SnowflakeにMySQLとJOINする機能を
実装する
kurochan
0
340
CyberAgentでのSlack 活用事例紹介
kurochan
0
6.1k
入門Envoy
kurochan
5
8.3k
広告配信プロダクトのSnowflakeへの移行
kurochan
2
6.4k
SnowflakeとRedshiftの比較検証
kurochan
1
11k

Other Decks in Technology

See All in Technology
20230525_経営者・マーケティング担当必見!ChatGPTがもたらすマーケティング革命(45min版)_v1.02_共有用・後半パート.pdf
doradora09
0
160
カーネルコードの歩き方
sat
PRO
3
2.5k
Антихрупкость в IT или как полюбить изменения
alexanderbyndyu
0
210
LLMの普及による機械学習の民主化とMLPdMの重要性 / democratization-of-ml-and-importance-of-mlpdm-by-llm
yuya4
2
2k
AI完全初心者でも最新の生成AIの仕組がわかった気になれるプレゼン
shimap_sampo
5
1.5k
競プロ作問を支える技術
tsutaj
0
210
Vault Secrets Operator と Dynamic Secrets で安全にシークレットを使おう / Vault Secrets Operator and Dynamic Secrets
nnstt1
2
290
Hunting for macOS attack techniques. Part 1 – Initial Access, Execution, Credential Access, Persistence
heirhabarov
1
500
Amazon VPC Lattice を使い始める前におさえておきたいポイント n 選 / Introduction to VPC Lattice
hayaok3
1
880
「XIAOGYAN」への想い
matsujirushi
0
150
ブロックテーマでどう変わる?新しいWordPressのWebサイト制作
tbshiki
0
140
時系列データをChatGPTで読み解いてみる【IoT-Tech Meetup】
soracom
PRO
0
470

Featured

See All Featured
Atom: Resistance is Futile
akmur
256
24k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
183
15k
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
How GitHub Uses GitHub to Build GitHub
holman
466
280k
Code Review Best Practice
trishagee
52
12k
Building Adaptive Systems
keathley
29
1.5k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
3.5k
A better future with KSS
kneath
230
16k
BBQ
matthewcrist
75
8.2k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.7k
Building Flexible Design Systems
yeseniaperezcruz
315
35k

Transcript

  1. גࣜձࣾαΠόʔΤʔδΣϯτ AIࣄۀຊ෦
    ೖ໳Open Policy Agent
    Policy as CodeΛ໨ࢦͯ͠
    ࠇ࡚ ༏ଠ

    View Slide

  2. ࠇ࡚ ༏ଠ
    2015೥౓ ৽ଔೖࣾ
    AIࣄۀຊ෦ DXຊ෦ ΞϓϦӡ༻ηϯλʔ
    @kurochan
    @kuro_m88
    ج൫ٕज़੹೚ऀ
    🆕 αΠόʔΤʔδΣϯτ CTO౷ׅࣨ
    #times_kurochan

    View Slide

  3. ࠓճ͓࿩͢Δ಺༰
    • Open Policy Agentͱ͍͏ιϑτ΢ΣΞʹ͍ͭͯͷ঺հ
    • Open Policy Agent͸ೝՄͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍͕ɺ
    ΋͏গ͠Ҿ͍ͯʮϙϦγʔʯͱ͍͏ࢹ఺͔Β঺հ
    • ΞϓϦӡ༻ηϯλʔͰಋೖ͢Δ༧ఆ͕͋ΔͷͰ
    ૝ఆ͍ͯ͠ΔϢʔεέʔεͷ঺հ

    View Slide

  4. 1.Open Policy Agentͱ͸
    2.Policy as Code
    3.Open Policy Agentͷ࢖͍ํ
    4.Open Policy Agentͷ࢖͍ॴ
    5.ΞϓϦӡ༻ηϯλʔͰͷ
    Open Policy Agentͷಋೖ༧ఆ

    View Slide

  5. Open Policy Agentͱ͸

    View Slide

  6. Open Policy Agentͱ͸
    • ܰྔͳ൚༻ͷʮϙϦγʔΤϯδϯʯ
    • ಠཱͯ͠ಈ͔͢͜ͱ΋Ͱ͖Δ͠ɺαʔϏεʹϥΠϒϥϦͱͯ͠౷߹͢Δ͜ͱ΋Մೳ
    • WebAssembly΋αϙʔτͯͨ͠Γ
    • OPAͱུ͞ΕΔ͜ͱ͕ଟ͍
    • ΫΤϦʹରͯ͠ϙϦγʔΛద༻ɺ݁ՌΛੜ੒͢Δ
    • ϙϦγʔ͸Regoͱ͍͏ݴޠͰੜ੒͢Δ

    View Slide

  7. "Policy"ͱ͸
    • ϧʔϧͷू߹
    • ೖྗΛ৚݅Ͱൺֱͨ͠Γ
    • rate limitͷΑ͏ʹಈతʹมΘΔΑ͏ͳ΋ͷͩͬͨΓ
    • ͦΕΒΛ૊Έ߹ΘͤͨΓ
    • ࠷ऴతʹԿ͔͠ΒͷҙࢥܾఆΛ͢Δ

    View Slide

  8. ϙϦγʔΤϯδϯΛ෼཭͢Δͱ͍͏͜ͱ
    • ϙϦγʔͷ࣮૷͸೉͍͠
    • ਖ਼࣮͘͠૷Ͱ͖·͔͢…ʁ
    • ෳࡶͳϙϦγʔ͸ϙϦγʔࣗମͷڍಈΛςετ͍ͨ͠
    • ࠓճ͸ʮϙϦγʔΤϯδϯʯͱ͍͏෦඼͕༷ʑͳϢʔεέʔεʹద༻Մ
    ೳͰ͋Δ͜ͱΛ͓࿩͠·͢

    View Slide

  9. Policy as Code

    View Slide

  10. Policy as Code
    • XXX as Code
    • Infrastructure as CodeͳͲ
    • ϙϦγʔ͸ͦΕࣗମ͕γεςϜͷٕज़తͳ੍໿΍ηΩϡϦςΟͳͲɺ
    ॏཁͳ஌ࣝΛ಺แ͍ͯ͠Δ
    • ΞϓϦέʔγϣϯίʔυதʹຒΊࠐ·ΕΔΑΓϙϦγʔͱͯ͠
    ಠཱͯ͠ఆٛ͢Δ͜ͱͰ҉໧஌Խ͢Δ͜ͱ΋๷͙͜ͱ͕Ͱ͖Δ

    View Slide

  11. Rego
    • ϙϦγʔΛهड़͢ΔͨΊͷݴޠ
    • ߏ଄Խ͞Ε͍ͯͯ֊૚తͳσʔλߏ଄Λ࣋ͯΔ
    • JSONͷΑ͏ͳߏ଄΋ѻ͑Δ
    • ϙϦγʔͷద༻݁Ռ΋ಉ༷ʹॊೈͳσʔλߏ଄ͰදݱͰ͖Δ
    • ೖग़ྗͷσʔλߏ଄͕͔ͳΓࣗ༝
    • ৚݅ࣜ΍ؔ਺΋ॆ࣮

    View Slide

  12. Regoͷจ๏ྫ
    • งғؾ͚ͩ঺հ͠·͢
    • ਖ਼͍͠จ๏͸ެࣜυΩϡϝϯτΛࢀর͍ͯͩ͘͠͞
    https://www.openpolicyagent.org/docs/latest/policy-language/

    View Slide

  13. Regoͷจ๏ྫ: ม਺

    View Slide

  14. Regoͷจ๏ྫ: Object

    View Slide

  15. Regoͷจ๏ྫ: Rule

    View Slide

  16. Regoͷจ๏ྫ: Rule

    View Slide

  17. Regoͷจ๏ྫ: ৚݅
    • ࢛ଇԋࢉɺ౳߸ɺෆ౳߸ɺϏοτԋࢉͳͲ͸΋ͪΖΜఆٛ͞Ε͍ͯΔ͕
    ͜ΕΒ͸͢΂ͯϏϧτΠϯؔ਺ͱͯ͠ѻΘΕΔ

    View Slide

  18. Regoͷจ๏ྫ: ϏϧτΠϯؔ਺
    • Ϗοτԋࢉɺू߹ԋࢉɺਖ਼نදݱɺจࣈྻૢ࡞
    • Base64ɺURLɺJSON/YAMLɺUUID
    • ࣌ࠁ
    • άϥϑ
    • ωοτϫʔΫ
    • τʔΫϯ(JWTͳͲ)
    • ଞʹ΋ศརͳؔ਺͕࠷ॳ͔Βͨ͘͞Μ༻ҙ͞Ε͍ͯΔ

    View Slide

  19. ؆୯ͳྫ
    • HTTPϦΫΤετͷೝՄ
    • user "alice" ͸ /hello ʹରͯ͠GETϦΫΤετ͕Ͱ͖Δ

    View Slide

  20. The Rego Playground
    • ϒϥ΢β্ͰRegoΛॻ͍ͯࢼͤͯศར
    https://play.openpolicyagent.org/

    View Slide

  21. Testable
    • ςετ͕ॻ͚Δʂ

    View Slide

  22. Testable
    • ςετ͕ॻ͚Δʂ

    View Slide

  23. Open Policy Agentͷ࢖͍ํ

    View Slide

  24. REST API

    View Slide

  25. ೝՄػೳΛඋ͑ͨAPI
    • ೝূͱೝՄ
    • ೝূ(Authenticate)
    • ʮ୭ͳͷ͔ʯΛࣝผ͢Δ
    • ೝՄ(Authorize)
    • ʮԿ͕Ͱ͖Δͷ͔(Ͱ͖ͳ͍ͷ͔)ʯΛ൑அ͢Δ

    View Slide

  26. RBACΛ࣮૷ͯ͠ΈΔ

    View Slide

  27. External Data
    • ͜͜·Ͱͷྫͩͱuser_roles΍role_permissions૬౰͸ݻఆ
    • ࣮༻్Ͱ͸ಈతʹมԽͤͨ͞Γ૿ݮ͍ͤͨ͞
    • ϙϦγʔΛධՁ͢Δʹ͋ͨͬͯඞཁͳ৘ใΛ֎෦͔Βऔಘ͢Δ࢓૊Έ

    View Slide

  28. ϦΫΤετʹຒΊࠐΉ
    • ϦΫΤετΛૹ৴͢Δଆ͕෇Ճ৘ใΛૹ৴͢Δ
    • ΋ͪΖΜૹΒΕͯ͘Δ஋͕৴༻Ͱ͖ͳ͍ͱμϝ
    • ৴༻Ͱ͖Δͱ͍͏લఏ͔ɺ
    JWTͳͲͰॺ໊͞Εͨ஋Λݕূͯ͠࢖͏͔
    https://www.openpolicyagent.org/docs/latest/external-data/

    View Slide

  29. σʔλΛ౉͢(push)
    • ֎෦͔Βߋ৽͕͋Δ౓ʹpush͢Δ
    • ಉظ࿙Εͱ͔ϥά͕ى͖Δͱ͜Θ͍͔΋
    • ͋·Γେ͖ͳσʔλ͸஗Εͳ͍
    https://www.openpolicyagent.org/docs/latest/external-data/

    View Slide

  30. σʔλΛ΋Β͏(pull)
    • OPA͕ಈతʹ֎෦ͷAPIΛݺͼग़ͤΔ(B)
    • OPAͷϨεϙϯελΠϜ͸૿Ճ͢Δ
    • ॊೈʹ࿈ܞ͠΍ͦ͢͏
    https://www.openpolicyagent.org/docs/latest/external-data/

    View Slide

  31. Testing

    View Slide

  32. ςετ
    • ϙϦγʔͱಉ͡σΟϨΫτϦʹςετϑΝΠϧΛஔ͘
    • "test_"Ͱ࢝·Δϧʔϧ͕ධՁ͞ΕɺͦΕ͕ςετʹͳΔ
    • opa testίϚϯυͰςετ͕࣮ߦͰ͖Δ
    • ΧόϨοδܭଌ΋Մೳ

    View Slide

  33. ஋ͷϞοΫ
    • withΩʔϫʔυͰ஋Λஔ͖׵͑ΒΕΔ

    View Slide

  34. Open Policy Agentͷ࢖͍Ͳ͜Ζ

    View Slide

  35. Open Policy Agentͷ࢖͍Ͳ͜Ζ
    • Kubernetesͷݖݶ؅ཧͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍ҹ৅
    • ͦΕҎ֎ͷ༻్Λத৺ʹ঺հ͠·͢

    View Slide

  36. Envoy

    View Slide

  37. Envoyͱ͸
    https://speakerdeck.com/kurochan/ru-men-envoy

    View Slide

  38. Envoyͱ͸
    • OSSͷL4/L7ϓϩΩγ
    • ʮϞμϯͳαʔϏεࢦ޲ΞʔΩςΫνϟʯ޲͚
    • ʮϢχόʔαϧσʔλϓϨʔϯʯΛ໨ࢦͯ͠։ൃ͞Ε͍ͯΔ
    • ύϑΥʔϚϯεʹ༏Εɺ֦ுੑ͕ߴ͘ɺAPIܦ༝ͰίϯτϩʔϧՄೳ
    https://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy

    View Slide

  39. Envoy࿈ܞ
    • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ
    https://www.openpolicyagent.org/docs/latest/envoy-introduction/

    View Slide

  40. Envoy࿈ܞ
    • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ
    • ೝՄ͞ΕͨτϥϑΟοΫ͔͠௨ա͠ͳ͍
    • ޙஈͷΞϓϦέʔγϣϯαʔό౳ͷ࣮૷ָ͕ʹͳΔ

    View Slide

  41. Terraform

    View Slide

  42. TerraformʹϙϦγʔΛద༻͢Δʁ
    • terraform.analysisͱ͍͏ύοέʔδ͕༻ҙ͞Ε͍ͯΔ
    • terraform planͷ݁Ռ͕ҙਤ͍ͯ͠Δ͔Ͳ͏͔ͷνΣοΫ͕Ͱ͖Δ
    • CIͳͲʹ૊ΈࠐΉͱࣄނ๷ࢭͷνΣοΫʹͳΔ
    • ྫ
    • ෆ༻ҙʹIAMͷઃఆมߋ͕͞Ε͍ͯͳ͍͔ʁ
    • ࣮ߦͨ͠ਓ͕؅ཧऀͰ͋Ε͹OKͳͲͷίϯςΩετ΋࣋ͨͤΒΕͦ͏
    • Ұఆͷᮢ஋Ҏ্ͷมߋ͕Ұ౓ʹͳ͞Ε͍ͯͳ͍͔ʁ
    • ޡͬͯ؀ڥΛഁյ͞Εͳ͍Α͏ʹͰ͖ͦ͏

    View Slide

  43. Terraform࿈ܞͷྫ
    • terraform planͷ݁Ռʹରͯ͠ϙϦγʔΛద༻͢Δ

    View Slide

  44. ϩά؂ࢹ

    View Slide

  45. ϩάʹϙϦγʔΛద༻͢ΔͱͲ͏ͳΔͷ͔
    • ϩά؂ࢹͰΑ͘΍Δ͜ͱ
    • ΤϥʔΧ΢ϯτ
    • ҟৗ஋ͷݕग़
    • ෳࡶͳ৚݅Ͱͷϩά؂ࢹ
    • ಛఆͷIPΞυϨε͔Βͷෆਖ਼ͳΞΫηε
    • S3όέοτͷՄࢹൣғͷઃఆมߋ
    • ͳͲ
    • ͦΕɺOPAͰݕग़Ͱ͖ΔͷͰ͸…ʁ
    • Կ͔ͷҙࢥܾఆΛ͢ΔҎ֎ʹ΋ɺಛఆ৚݅ͷΞΫςΟϏςΟͷݕग़ʹ΋͔ͭ͑Δʂ

    View Slide

  46. ΧελϚΠζ

    View Slide

  47. ͜͜·ͰͰ෼͔ͬͨ͜ͱ
    • Open Policy Agent͸೚ҙͷೖྗʹରͯ͠ϙϦγʔΛద༻ͨ݁͠ՌΛ
    ฦ͢ύʔπͱ͔ͯ͠ͳΓ൚༻ੑ͕ߴ͍
    • Open Policy AgentΛαʔϏεʹ૊ΈࠐΜͰ࢖͏ʹ͸
    Ͳ͏͢Ε͹Α͍ͷ͔

    View Slide

  48. REST API
    • input JSONͰPOST͢ΔͱɺϨεϙϯε͕JSONͰฦͬͯ͘Δ

    View Slide

  49. Go API
    • GolangͷϥΠϒϥϦͱͯ͠ݺͼग़͢͜ͱ͕Մೳ

    View Slide

  50. ΞϓϦӡ༻ηϯλʔͰͷ
    Open Policy AgentͷಋೖΞΠσΞ

    View Slide

  51. ΞϓϦӡ༻ηϯλʔͱ͸
    • 140ஹԁͷڊେࢢ৔ɺখചۀքͷ࠶ൃ໌ʹ௅Ή։ൃϓϩδΣΫτ
    https://speakerdeck.com/kurochan/retail-dx-project

    View Slide

  52. ΞϓϦӡ༻ηϯλʔͰ։ൃ͍ͯ͠ΔγεςϜͨͪ
    • ڠಇൢଅ޲͚γεςϜ
    • ձһΞϓϦ
    • ECαΠτ
    • σʔλج൫
    • ͜ΕΒͷ؅ཧը໘
    • ༷ʑͳϙϦγʔͰΞΫηε੍ޚΛ͍ͨ͠

    View Slide

  53. ΞϓϦӡ༻ηϯλʔͱ͸
    • খചۀքͷDXΛਪਐ͢ΔϓϩμΫτΛ։ൃ͢Δ෦ॺ
    • ͍ΖΜͳγεςϜΛ։ൃ͢Δ
    • ͍ΖΜͳγεςϜ = ͍ΖΜͳAPI
    • ೝূೝՄ͕༷ʑͳγʔϯͰൃੜ͢Δ
    • ͦΕͧΕϏδωεཁ݅΋ඍົʹҟͳΔͷͰ͖ͪΜͱϧʔϧͱͯ͠؅ཧ͍ͨ͠
    • Policy as Codeͷػӡ…ʂ
    • ೝূ => IdP, ೝՄ => ???

    View Slide

  54. Open Policy AgentΛ༻͍ͨRBAC
    ڋ൱
    ڐՄ
    ڐՄ
    ϦιʔεA
    ϦιʔεB
    A͞Μ
    B͞Μ
    σʔλϕʔεͷ஋ͳͲʹԠͯ͡ಈతʹΞΫηεΛڐՄ͢Δ͔൑அ͍ͨ͠

    View Slide

  55. Open Policy AgentΛ༻͍ͨRBAC
    https://www.openpolicyagent.org/docs/latest/external-data/
    • ϢʔβA͕ϦιʔεB΁ͷΞΫηεΛͯ͠Α͍͔͕ಈతʹมΘΔέʔε
    • External DataΛ༻͍ͯղܾ

    View Slide

  56. ൚༻తͳΞʔΩςΫνϟ
    • ೝূೝՄͷ͘͠ΈΛςϯϓϨʔτԽ͍ͨ͠
    • Envoy + OPA + Backend API
    • Envoy: ೝՄήʔτ΢ΣΠ
    • OPA: ೝՄϙϦγʔΤϯδϯ
    • Backend API: ϏδωεϩδοΫ

    View Slide

  57. ൚༻తͳΞʔΩςΫνϟ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ

    View Slide

  58. ϦΫΤετ ϨεϙϯεͷྲྀΕ
    ϦΫΤετ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ
    ڐՄ͞ΕΔύλʔϯ

    View Slide

  59. ϦΫΤετ ϨεϙϯεͷྲྀΕ
    ϦΫΤετ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ
    ڐՄ͞ΕΔύλʔϯ

    View Slide

  60. ϦΫΤετ ϨεϙϯεͷྲྀΕ
    ϦΫΤετ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ
    ڐՄ
    ೝՄ৘ใ
    ෇Ճ৘ใ
    ڐՄ͞ΕΔύλʔϯ

    View Slide

  61. ϦΫΤετ ϨεϙϯεͷྲྀΕ
    ϦΫΤετ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ
    ϦΫΤετ
    ڐՄ
    ೝՄ৘ใ
    ෇Ճ৘ใ
    ڐՄ͞ΕΔύλʔϯ

    View Slide

  62. ϦΫΤετ ϨεϙϯεͷྲྀΕ
    ϦΫΤετ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ
    ϦΫΤετ
    ڐՄ
    ೝՄ৘ใ
    ෇Ճ৘ใ
    ڐՄ͞ΕΔύλʔϯ

    View Slide

  63. ϦΫΤετ ϨεϙϯεͷྲྀΕ
    ϦΫΤετ
    ΫϥΠΞϯτ
    ೝՄ৘ใ
    όοΫΤϯυ
    ೝՄ৘ใ
    ෇Ճ৘ใ
    ڋ൱
    ڋ൱͞ΕΔύλʔϯ

    View Slide

  64. ·ͱΊ

    View Slide

  65. ·ͱΊ
    • Open Policy Agentͱ͍͏OSSʹ͍ͭͯ঺հ͠·ͨ͠
    • ϙϦγʔΤϯδϯͷ൚༻ੑʹ͍ͭͯ঺հ͠·ͨ͠
    • ΞϓϦӡ༻ηϯλʔͰͷಋೖΞΠσΞʹ͍͓ͭͯ࿩͠·ͨ͠
    • ࣮ࡍʹಋೖࣄྫ͕Ͱ͖ͨΒͲ͔͜Ͱൃද͍ͨ͠ͱࢥ͍·͢

    View Slide

  66. ͝ࢹௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ

    View Slide