入門Open Policy Agent: Policy as Codeを目指して / introduction-to-open-policy-agent

Transcript

1. גࣜձࣾαΠόʔΤʔδΣϯτ AIࣄۀຊ෦ ೖ໳Open Policy Agent Policy as CodeΛ໨ࢦͯ͠ ࠇ࡚ ༏ଠ

2. ࠇ࡚ ༏ଠ 2015೥౓ ৽ଔೖࣾ AIࣄۀຊ෦ DXຊ෦ ΞϓϦӡ༻ηϯλʔ @kurochan @kuro_m88 ج൫ٕज़੹೚ऀ

   🆕 αΠόʔΤʔδΣϯτ CTO౷ׅࣨ #times_kurochan

3. ࠓճ͓࿩͢Δ಺༰ • Open Policy Agentͱ͍͏ιϑτ΢ΣΞʹ͍ͭͯͷ঺հ • Open Policy Agent͸ೝՄͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍͕ɺ ΋͏গ͠Ҿ͍ͯʮϙϦγʔʯͱ͍͏ࢹ఺͔Β঺հ

   • ΞϓϦӡ༻ηϯλʔͰಋೖ͢Δ༧ఆ͕͋ΔͷͰ ૝ఆ͍ͯ͠ΔϢʔεέʔεͷ঺հ

4. 1.Open Policy Agentͱ͸ 2.Policy as Code 3.Open Policy Agentͷ࢖͍ํ 4.Open

   Policy Agentͷ࢖͍ॴ 5.ΞϓϦӡ༻ηϯλʔͰͷ Open Policy Agentͷಋೖ༧ఆ

5. Open Policy Agentͱ͸

6. Open Policy Agentͱ͸ • ܰྔͳ൚༻ͷʮϙϦγʔΤϯδϯʯ • ಠཱͯ͠ಈ͔͢͜ͱ΋Ͱ͖Δ͠ɺαʔϏεʹϥΠϒϥϦͱͯ͠౷߹͢Δ͜ͱ΋Մೳ • WebAssembly΋αϙʔτͯͨ͠Γ •

   OPAͱུ͞ΕΔ͜ͱ͕ଟ͍ • ΫΤϦʹରͯ͠ϙϦγʔΛద༻ɺ݁ՌΛੜ੒͢Δ • ϙϦγʔ͸Regoͱ͍͏ݴޠͰੜ੒͢Δ

7. "Policy"ͱ͸ • ϧʔϧͷू߹ • ೖྗΛ৚݅Ͱൺֱͨ͠Γ • rate limitͷΑ͏ʹಈతʹมΘΔΑ͏ͳ΋ͷͩͬͨΓ • ͦΕΒΛ૊Έ߹ΘͤͨΓ

   • ࠷ऴతʹԿ͔͠ΒͷҙࢥܾఆΛ͢Δ

8. ϙϦγʔΤϯδϯΛ෼཭͢Δͱ͍͏͜ͱ • ϙϦγʔͷ࣮૷͸೉͍͠ • ਖ਼࣮͘͠૷Ͱ͖·͔͢…ʁ • ෳࡶͳϙϦγʔ͸ϙϦγʔࣗମͷڍಈΛςετ͍ͨ͠ • ࠓճ͸ʮϙϦγʔΤϯδϯʯͱ͍͏෦඼͕༷ʑͳϢʔεέʔεʹద༻Մ ೳͰ͋Δ͜ͱΛ͓࿩͠·͢

9. Policy as Code

10. Policy as Code • XXX as Code • Infrastructure as

    CodeͳͲ • ϙϦγʔ͸ͦΕࣗମ͕γεςϜͷٕज़తͳ੍໿΍ηΩϡϦςΟͳͲɺ ॏཁͳ஌ࣝΛ಺แ͍ͯ͠Δ • ΞϓϦέʔγϣϯίʔυதʹຒΊࠐ·ΕΔΑΓϙϦγʔͱͯ͠ ಠཱͯ͠ఆٛ͢Δ͜ͱͰ҉໧஌Խ͢Δ͜ͱ΋๷͙͜ͱ͕Ͱ͖Δ

11. Rego • ϙϦγʔΛهड़͢ΔͨΊͷݴޠ • ߏ଄Խ͞Ε͍ͯͯ֊૚తͳσʔλߏ଄Λ࣋ͯΔ • JSONͷΑ͏ͳߏ଄΋ѻ͑Δ • ϙϦγʔͷద༻݁Ռ΋ಉ༷ʹॊೈͳσʔλߏ଄ͰදݱͰ͖Δ •

    ೖग़ྗͷσʔλߏ଄͕͔ͳΓࣗ༝ • ৚݅ࣜ΍ؔ਺΋ॆ࣮

12. Regoͷจ๏ྫ • งғؾ͚ͩ঺հ͠·͢ • ਖ਼͍͠จ๏͸ެࣜυΩϡϝϯτΛࢀর͍ͯͩ͘͠͞ https://www.openpolicyagent.org/docs/latest/policy-language/

13. Regoͷจ๏ྫ: ม਺

14. Regoͷจ๏ྫ: Object

15. Regoͷจ๏ྫ: Rule

16. Regoͷจ๏ྫ: Rule

17. Regoͷจ๏ྫ: ৚݅ • ࢛ଇԋࢉɺ౳߸ɺෆ౳߸ɺϏοτԋࢉͳͲ͸΋ͪΖΜఆٛ͞Ε͍ͯΔ͕ ͜ΕΒ͸͢΂ͯϏϧτΠϯؔ਺ͱͯ͠ѻΘΕΔ

18. Regoͷจ๏ྫ: ϏϧτΠϯؔ਺ • Ϗοτԋࢉɺू߹ԋࢉɺਖ਼نදݱɺจࣈྻૢ࡞ • Base64ɺURLɺJSON/YAMLɺUUID • ࣌ࠁ • άϥϑ

    • ωοτϫʔΫ • τʔΫϯ(JWTͳͲ) • ଞʹ΋ศརͳؔ਺͕࠷ॳ͔Βͨ͘͞Μ༻ҙ͞Ε͍ͯΔ

19. ؆୯ͳྫ • HTTPϦΫΤετͷೝՄ • user "alice" ͸ /hello ʹରͯ͠GETϦΫΤετ͕Ͱ͖Δ

20. The Rego Playground • ϒϥ΢β্ͰRegoΛॻ͍ͯࢼͤͯศར https://play.openpolicyagent.org/

21. Testable • ςετ͕ॻ͚Δʂ

22. Testable • ςετ͕ॻ͚Δʂ

23. Open Policy Agentͷ࢖͍ํ

24. REST API

25. ೝՄػೳΛඋ͑ͨAPI • ೝূͱೝՄ • ೝূ(Authenticate) • ʮ୭ͳͷ͔ʯΛࣝผ͢Δ • ೝՄ(Authorize) •

    ʮԿ͕Ͱ͖Δͷ͔(Ͱ͖ͳ͍ͷ͔)ʯΛ൑அ͢Δ

26. RBACΛ࣮૷ͯ͠ΈΔ

27. External Data • ͜͜·Ͱͷྫͩͱuser_roles΍role_permissions૬౰͸ݻఆ • ࣮༻్Ͱ͸ಈతʹมԽͤͨ͞Γ૿ݮ͍ͤͨ͞ • ϙϦγʔΛධՁ͢Δʹ͋ͨͬͯඞཁͳ৘ใΛ֎෦͔Βऔಘ͢Δ࢓૊Έ

28. ϦΫΤετʹຒΊࠐΉ • ϦΫΤετΛૹ৴͢Δଆ͕෇Ճ৘ใΛૹ৴͢Δ • ΋ͪΖΜૹΒΕͯ͘Δ஋͕৴༻Ͱ͖ͳ͍ͱμϝ • ৴༻Ͱ͖Δͱ͍͏લఏ͔ɺ JWTͳͲͰॺ໊͞Εͨ஋Λݕূͯ͠࢖͏͔ https://www.openpolicyagent.org/docs/latest/external-data/

29. σʔλΛ౉͢(push) • ֎෦͔Βߋ৽͕͋Δ౓ʹpush͢Δ • ಉظ࿙Εͱ͔ϥά͕ى͖Δͱ͜Θ͍͔΋ • ͋·Γେ͖ͳσʔλ͸஗Εͳ͍ https://www.openpolicyagent.org/docs/latest/external-data/

30. σʔλΛ΋Β͏(pull) • OPA͕ಈతʹ֎෦ͷAPIΛݺͼग़ͤΔ(B) • OPAͷϨεϙϯελΠϜ͸૿Ճ͢Δ • ॊೈʹ࿈ܞ͠΍ͦ͢͏ https://www.openpolicyagent.org/docs/latest/external-data/

31. Testing

32. ςετ • ϙϦγʔͱಉ͡σΟϨΫτϦʹςετϑΝΠϧΛஔ͘ • "test_"Ͱ࢝·Δϧʔϧ͕ධՁ͞ΕɺͦΕ͕ςετʹͳΔ • opa testίϚϯυͰςετ͕࣮ߦͰ͖Δ • ΧόϨοδܭଌ΋Մೳ

33. ஋ͷϞοΫ • withΩʔϫʔυͰ஋Λஔ͖׵͑ΒΕΔ

34. Open Policy Agentͷ࢖͍Ͳ͜Ζ

35. Open Policy Agentͷ࢖͍Ͳ͜Ζ • Kubernetesͷݖݶ؅ཧͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍ҹ৅ • ͦΕҎ֎ͷ༻్Λத৺ʹ঺հ͠·͢

36. Envoy

37. Envoyͱ͸ https://speakerdeck.com/kurochan/ru-men-envoy

38. Envoyͱ͸ • OSSͷL4/L7ϓϩΩγ • ʮϞμϯͳαʔϏεࢦ޲ΞʔΩςΫνϟʯ޲͚ • ʮϢχόʔαϧσʔλϓϨʔϯʯΛ໨ࢦͯ͠։ൃ͞Ε͍ͯΔ • ύϑΥʔϚϯεʹ༏Εɺ֦ுੑ͕ߴ͘ɺAPIܦ༝ͰίϯτϩʔϧՄೳ https://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy

39. Envoy࿈ܞ • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ https://www.openpolicyagent.org/docs/latest/envoy-introduction/

40. Envoy࿈ܞ • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ • ೝՄ͞ΕͨτϥϑΟοΫ͔͠௨ա͠ͳ͍ • ޙஈͷΞϓϦέʔγϣϯαʔό౳ͷ࣮૷ָ͕ʹͳΔ

41. Terraform

42. TerraformʹϙϦγʔΛద༻͢Δʁ • terraform.analysisͱ͍͏ύοέʔδ͕༻ҙ͞Ε͍ͯΔ • terraform planͷ݁Ռ͕ҙਤ͍ͯ͠Δ͔Ͳ͏͔ͷνΣοΫ͕Ͱ͖Δ • CIͳͲʹ૊ΈࠐΉͱࣄނ๷ࢭͷνΣοΫʹͳΔ • ྫ

    • ෆ༻ҙʹIAMͷઃఆมߋ͕͞Ε͍ͯͳ͍͔ʁ • ࣮ߦͨ͠ਓ͕؅ཧऀͰ͋Ε͹OKͳͲͷίϯςΩετ΋࣋ͨͤΒΕͦ͏ • Ұఆͷᮢ஋Ҏ্ͷมߋ͕Ұ౓ʹͳ͞Ε͍ͯͳ͍͔ʁ • ޡͬͯ؀ڥΛഁյ͞Εͳ͍Α͏ʹͰ͖ͦ͏

43. Terraform࿈ܞͷྫ • terraform planͷ݁Ռʹରͯ͠ϙϦγʔΛద༻͢Δ

44. ϩά؂ࢹ

45. ϩάʹϙϦγʔΛద༻͢ΔͱͲ͏ͳΔͷ͔ • ϩά؂ࢹͰΑ͘΍Δ͜ͱ • ΤϥʔΧ΢ϯτ • ҟৗ஋ͷݕग़ • ෳࡶͳ৚݅Ͱͷϩά؂ࢹ •

    ಛఆͷIPΞυϨε͔Βͷෆਖ਼ͳΞΫηε • S3όέοτͷՄࢹൣғͷઃఆมߋ • ͳͲ • ͦΕɺOPAͰݕग़Ͱ͖ΔͷͰ͸…ʁ • Կ͔ͷҙࢥܾఆΛ͢ΔҎ֎ʹ΋ɺಛఆ৚݅ͷΞΫςΟϏςΟͷݕग़ʹ΋͔ͭ͑Δʂ

46. ΧελϚΠζ

47. ͜͜·ͰͰ෼͔ͬͨ͜ͱ • Open Policy Agent͸೚ҙͷೖྗʹରͯ͠ϙϦγʔΛద༻ͨ݁͠ՌΛ ฦ͢ύʔπͱ͔ͯ͠ͳΓ൚༻ੑ͕ߴ͍ • Open Policy AgentΛαʔϏεʹ૊ΈࠐΜͰ࢖͏ʹ͸

    Ͳ͏͢Ε͹Α͍ͷ͔

48. REST API • input JSONͰPOST͢ΔͱɺϨεϙϯε͕JSONͰฦͬͯ͘Δ

49. Go API • GolangͷϥΠϒϥϦͱͯ͠ݺͼग़͢͜ͱ͕Մೳ

50. ΞϓϦӡ༻ηϯλʔͰͷ Open Policy AgentͷಋೖΞΠσΞ

51. ΞϓϦӡ༻ηϯλʔͱ͸ • 140ஹԁͷڊେࢢ৔ɺখചۀքͷ࠶ൃ໌ʹ௅Ή։ൃϓϩδΣΫτ https://speakerdeck.com/kurochan/retail-dx-project

52. ΞϓϦӡ༻ηϯλʔͰ։ൃ͍ͯ͠ΔγεςϜͨͪ • ڠಇൢଅ޲͚γεςϜ • ձһΞϓϦ • ECαΠτ • σʔλج൫ •

    ͜ΕΒͷ؅ཧը໘ • ༷ʑͳϙϦγʔͰΞΫηε੍ޚΛ͍ͨ͠

53. ΞϓϦӡ༻ηϯλʔͱ͸ • খചۀքͷDXΛਪਐ͢ΔϓϩμΫτΛ։ൃ͢Δ෦ॺ • ͍ΖΜͳγεςϜΛ։ൃ͢Δ • ͍ΖΜͳγεςϜ = ͍ΖΜͳAPI •

    ೝূೝՄ͕༷ʑͳγʔϯͰൃੜ͢Δ • ͦΕͧΕϏδωεཁ݅΋ඍົʹҟͳΔͷͰ͖ͪΜͱϧʔϧͱͯ͠؅ཧ͍ͨ͠ • Policy as Codeͷػӡ…ʂ • ೝূ => IdP, ೝՄ => ???

54. Open Policy AgentΛ༻͍ͨRBAC ڋ൱ ڐՄ ڐՄ ϦιʔεA ϦιʔεB A͞Μ B͞Μ

    σʔλϕʔεͷ஋ͳͲʹԠͯ͡ಈతʹΞΫηεΛڐՄ͢Δ͔൑அ͍ͨ͠

55. Open Policy AgentΛ༻͍ͨRBAC https://www.openpolicyagent.org/docs/latest/external-data/ • ϢʔβA͕ϦιʔεB΁ͷΞΫηεΛͯ͠Α͍͔͕ಈతʹมΘΔέʔε • External DataΛ༻͍ͯղܾ

56. ൚༻తͳΞʔΩςΫνϟ • ೝূೝՄͷ͘͠ΈΛςϯϓϨʔτԽ͍ͨ͠ • Envoy + OPA + Backend API

    • Envoy: ೝՄήʔτ΢ΣΠ • OPA: ೝՄϙϦγʔΤϯδϯ • Backend API: ϏδωεϩδοΫ

57. ൚༻తͳΞʔΩςΫνϟ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ

58. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ͞ΕΔύλʔϯ

59. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ͞ΕΔύλʔϯ

60. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ ڐՄ͞ΕΔύλʔϯ

61. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ϦΫΤετ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ

    ڐՄ͞ΕΔύλʔϯ

62. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ϦΫΤετ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ

    ڐՄ͞ΕΔύλʔϯ

63. ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ೝՄ৘ใ ෇Ճ৘ใ ڋ൱ ڋ൱͞ΕΔύλʔϯ

64. ·ͱΊ

65. ·ͱΊ • Open Policy Agentͱ͍͏OSSʹ͍ͭͯ঺հ͠·ͨ͠ • ϙϦγʔΤϯδϯͷ൚༻ੑʹ͍ͭͯ঺հ͠·ͨ͠ • ΞϓϦӡ༻ηϯλʔͰͷಋೖΞΠσΞʹ͍͓ͭͯ࿩͠·ͨ͠ •

    ࣮ࡍʹಋೖࣄྫ͕Ͱ͖ͨΒͲ͔͜Ͱൃද͍ͨ͠ͱࢥ͍·͢

66. ͝ࢹௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ