サイバーエージェントの社内エンジニアカンファレンス CA BASE CAMP 2021で発表した資料です
גࣜձࣾαΠόʔΤʔδΣϯτ AIࣄۀຊ෦ೖOpen Policy AgentPolicy as CodeΛࢦͯ͠ࠇ࡚ ༏ଠ
View Slide
ࠇ࡚ ༏ଠ2015 ৽ଔೖࣾAIࣄۀຊ෦ DXຊ෦ ΞϓϦӡ༻ηϯλʔ@kurochan@kuro_m88ج൫ٕज़ऀ🆕 αΠόʔΤʔδΣϯτ CTO౷ׅࣨ#times_kurochan
ࠓճ͓͢Δ༰• Open Policy Agentͱ͍͏ιϑτΣΞʹ͍ͭͯͷհ• Open Policy AgentೝՄͷจ຺Ͱհ͞ΕΔ͜ͱ͕ଟ͍͕ɺ͏গ͠Ҿ͍ͯʮϙϦγʔʯͱ͍͏ࢹ͔Βհ• ΞϓϦӡ༻ηϯλʔͰಋೖ͢Δ༧ఆ͕͋ΔͷͰఆ͍ͯ͠ΔϢʔεέʔεͷհ
1.Open Policy Agentͱ2.Policy as Code3.Open Policy Agentͷ͍ํ4.Open Policy Agentͷ͍ॴ5.ΞϓϦӡ༻ηϯλʔͰͷOpen Policy Agentͷಋೖ༧ఆ
Open Policy Agentͱ
Open Policy Agentͱ• ܰྔͳ൚༻ͷʮϙϦγʔΤϯδϯʯ• ಠཱͯ͠ಈ͔͢͜ͱͰ͖Δ͠ɺαʔϏεʹϥΠϒϥϦͱͯ͠౷߹͢Δ͜ͱՄೳ• WebAssemblyαϙʔτͯͨ͠Γ• OPAͱུ͞ΕΔ͜ͱ͕ଟ͍• ΫΤϦʹରͯ͠ϙϦγʔΛద༻ɺ݁ՌΛੜ͢Δ• ϙϦγʔRegoͱ͍͏ݴޠͰੜ͢Δ
"Policy"ͱ• ϧʔϧͷू߹• ೖྗΛ݅Ͱൺֱͨ͠Γ• rate limitͷΑ͏ʹಈతʹมΘΔΑ͏ͳͷͩͬͨΓ• ͦΕΒΛΈ߹ΘͤͨΓ• ࠷ऴతʹԿ͔͠ΒͷҙࢥܾఆΛ͢Δ
ϙϦγʔΤϯδϯΛ͢Δͱ͍͏͜ͱ• ϙϦγʔͷ࣮͍͠• ਖ਼࣮͘͠Ͱ͖·͔͢…ʁ• ෳࡶͳϙϦγʔϙϦγʔࣗମͷڍಈΛςετ͍ͨ͠• ࠓճʮϙϦγʔΤϯδϯʯͱ͍͏෦͕༷ʑͳϢʔεέʔεʹద༻ՄೳͰ͋Δ͜ͱΛ͓͠·͢
Policy as Code
Policy as Code• XXX as Code• Infrastructure as CodeͳͲ• ϙϦγʔͦΕࣗମ͕γεςϜͷٕज़తͳ੍ηΩϡϦςΟͳͲɺॏཁͳࣝΛแ͍ͯ͠Δ• ΞϓϦέʔγϣϯίʔυதʹຒΊࠐ·ΕΔΑΓϙϦγʔͱͯ͠ಠཱͯ͠ఆٛ͢Δ͜ͱͰ҉Խ͢Δ͜ͱ͙͜ͱ͕Ͱ͖Δ
Rego• ϙϦγʔΛهड़͢ΔͨΊͷݴޠ• ߏԽ͞Ε͍ͯͯ֊తͳσʔλߏΛ࣋ͯΔ• JSONͷΑ͏ͳߏѻ͑Δ• ϙϦγʔͷద༻݁Ռಉ༷ʹॊೈͳσʔλߏͰදݱͰ͖Δ• ೖग़ྗͷσʔλߏ͕͔ͳΓࣗ༝• ݅ࣜؔॆ࣮
Regoͷจ๏ྫ• งғؾ͚ͩհ͠·͢• ਖ਼͍͠จ๏ެࣜυΩϡϝϯτΛࢀর͍ͯͩ͘͠͞https://www.openpolicyagent.org/docs/latest/policy-language/
Regoͷจ๏ྫ: ม
Regoͷจ๏ྫ: Object
Regoͷจ๏ྫ: Rule
Regoͷจ๏ྫ: ݅• ࢛ଇԋࢉɺ߸ɺෆ߸ɺϏοτԋࢉͳͲͪΖΜఆٛ͞Ε͍ͯΔ͕͜ΕΒͯ͢ϏϧτΠϯؔͱͯ͠ѻΘΕΔ
Regoͷจ๏ྫ: ϏϧτΠϯؔ• Ϗοτԋࢉɺू߹ԋࢉɺਖ਼نදݱɺจࣈྻૢ࡞• Base64ɺURLɺJSON/YAMLɺUUID• ࣌ࠁ• άϥϑ• ωοτϫʔΫ• τʔΫϯ(JWTͳͲ)• ଞʹศརͳ͕ؔ࠷ॳ͔Βͨ͘͞Μ༻ҙ͞Ε͍ͯΔ
؆୯ͳྫ• HTTPϦΫΤετͷೝՄ• user "alice" /hello ʹରͯ͠GETϦΫΤετ͕Ͱ͖Δ
The Rego Playground• ϒϥβ্ͰRegoΛॻ͍ͯࢼͤͯศརhttps://play.openpolicyagent.org/
Testable• ςετ͕ॻ͚Δʂ
Open Policy Agentͷ͍ํ
REST API
ೝՄػೳΛඋ͑ͨAPI• ೝূͱೝՄ• ೝূ(Authenticate)• ʮ୭ͳͷ͔ʯΛࣝผ͢Δ• ೝՄ(Authorize)• ʮԿ͕Ͱ͖Δͷ͔(Ͱ͖ͳ͍ͷ͔)ʯΛஅ͢Δ
RBACΛ࣮ͯ͠ΈΔ
External Data• ͜͜·Ͱͷྫͩͱuser_rolesrole_permissions૬ݻఆ• ࣮༻్ͰಈతʹมԽͤͨ͞Γ૿ݮ͍ͤͨ͞• ϙϦγʔΛධՁ͢Δʹ͋ͨͬͯඞཁͳใΛ֎෦͔Βऔಘ͢ΔΈ
ϦΫΤετʹຒΊࠐΉ• ϦΫΤετΛૹ৴͢Δଆ͕ՃใΛૹ৴͢Δ• ͪΖΜૹΒΕͯ͘Δ͕৴༻Ͱ͖ͳ͍ͱμϝ• ৴༻Ͱ͖Δͱ͍͏લఏ͔ɺJWTͳͲͰॺ໊͞ΕͨΛݕূͯ͠͏͔https://www.openpolicyagent.org/docs/latest/external-data/
σʔλΛ͢(push)• ֎෦͔Βߋ৽͕͋Δʹpush͢Δ• ಉظ࿙Εͱ͔ϥά͕ى͖Δͱ͜Θ͍͔• ͋·Γେ͖ͳσʔλΕͳ͍https://www.openpolicyagent.org/docs/latest/external-data/
σʔλΛΒ͏(pull)• OPA͕ಈతʹ֎෦ͷAPIΛݺͼग़ͤΔ(B)• OPAͷϨεϙϯελΠϜ૿Ճ͢Δ• ॊೈʹ࿈ܞͦ͢͠͏https://www.openpolicyagent.org/docs/latest/external-data/
Testing
ςετ• ϙϦγʔͱಉ͡σΟϨΫτϦʹςετϑΝΠϧΛஔ͘• "test_"Ͱ࢝·Δϧʔϧ͕ධՁ͞ΕɺͦΕ͕ςετʹͳΔ• opa testίϚϯυͰςετ͕࣮ߦͰ͖Δ• ΧόϨοδܭଌՄೳ
ͷϞοΫ• withΩʔϫʔυͰΛஔ͖͑ΒΕΔ
Open Policy Agentͷ͍Ͳ͜Ζ
Open Policy Agentͷ͍Ͳ͜Ζ• Kubernetesͷݖݶཧͷจ຺Ͱհ͞ΕΔ͜ͱ͕ଟ͍ҹ• ͦΕҎ֎ͷ༻్Λத৺ʹհ͠·͢
Envoy
Envoyͱhttps://speakerdeck.com/kurochan/ru-men-envoy
Envoyͱ• OSSͷL4/L7ϓϩΩγ• ʮϞμϯͳαʔϏεࢦΞʔΩςΫνϟʯ͚• ʮϢχόʔαϧσʔλϓϨʔϯʯΛࢦͯ͠։ൃ͞Ε͍ͯΔ• ύϑΥʔϚϯεʹ༏Εɺ֦ுੑ͕ߴ͘ɺAPIܦ༝ͰίϯτϩʔϧՄೳhttps://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy
Envoy࿈ܞ• EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ͖ͷήʔτΣΠΛߏՄೳhttps://www.openpolicyagent.org/docs/latest/envoy-introduction/
Envoy࿈ܞ• EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ͖ͷήʔτΣΠΛߏՄೳ• ೝՄ͞ΕͨτϥϑΟοΫ͔͠௨ա͠ͳ͍• ޙஈͷΞϓϦέʔγϣϯαʔόͷָ࣮͕ʹͳΔ
Terraform
TerraformʹϙϦγʔΛద༻͢Δʁ• terraform.analysisͱ͍͏ύοέʔδ͕༻ҙ͞Ε͍ͯΔ• terraform planͷ݁Ռ͕ҙਤ͍ͯ͠Δ͔Ͳ͏͔ͷνΣοΫ͕Ͱ͖Δ• CIͳͲʹΈࠐΉͱࣄނࢭͷνΣοΫʹͳΔ• ྫ• ෆ༻ҙʹIAMͷઃఆมߋ͕͞Ε͍ͯͳ͍͔ʁ• ࣮ߦͨ͠ਓ͕ཧऀͰ͋ΕOKͳͲͷίϯςΩετ࣋ͨͤΒΕͦ͏• ҰఆͷᮢҎ্ͷมߋ͕Ұʹͳ͞Ε͍ͯͳ͍͔ʁ• ޡͬͯڥΛഁյ͞Εͳ͍Α͏ʹͰ͖ͦ͏
Terraform࿈ܞͷྫ• terraform planͷ݁Ռʹରͯ͠ϙϦγʔΛద༻͢Δ
ϩάࢹ
ϩάʹϙϦγʔΛద༻͢ΔͱͲ͏ͳΔͷ͔• ϩάࢹͰΑ͘Δ͜ͱ• ΤϥʔΧϯτ• ҟৗͷݕग़• ෳࡶͳ݅Ͱͷϩάࢹ• ಛఆͷIPΞυϨε͔Βͷෆਖ਼ͳΞΫηε• S3όέοτͷՄࢹൣғͷઃఆมߋ• ͳͲ• ͦΕɺOPAͰݕग़Ͱ͖ΔͷͰ…ʁ• Կ͔ͷҙࢥܾఆΛ͢ΔҎ֎ʹɺಛఆ݅ͷΞΫςΟϏςΟͷݕग़ʹ͔ͭ͑Δʂ
ΧελϚΠζ
͜͜·ͰͰ͔ͬͨ͜ͱ• Open Policy Agentҙͷೖྗʹରͯ͠ϙϦγʔΛద༻ͨ݁͠ՌΛฦ͢ύʔπͱ͔ͯ͠ͳΓ൚༻ੑ͕ߴ͍• Open Policy AgentΛαʔϏεʹΈࠐΜͰ͏ʹͲ͏͢ΕΑ͍ͷ͔
REST API• input JSONͰPOST͢ΔͱɺϨεϙϯε͕JSONͰฦͬͯ͘Δ
Go API• GolangͷϥΠϒϥϦͱͯ͠ݺͼग़͢͜ͱ͕Մೳ
ΞϓϦӡ༻ηϯλʔͰͷOpen Policy AgentͷಋೖΞΠσΞ
ΞϓϦӡ༻ηϯλʔͱ• 140ஹԁͷڊେࢢɺখചۀքͷ࠶ൃ໌ʹΉ։ൃϓϩδΣΫτhttps://speakerdeck.com/kurochan/retail-dx-project
ΞϓϦӡ༻ηϯλʔͰ։ൃ͍ͯ͠ΔγεςϜͨͪ• ڠಇൢଅ͚γεςϜ• ձһΞϓϦ• ECαΠτ• σʔλج൫• ͜ΕΒͷཧը໘• ༷ʑͳϙϦγʔͰΞΫηε੍ޚΛ͍ͨ͠
ΞϓϦӡ༻ηϯλʔͱ• খചۀքͷDXΛਪਐ͢ΔϓϩμΫτΛ։ൃ͢Δ෦ॺ• ͍ΖΜͳγεςϜΛ։ൃ͢Δ• ͍ΖΜͳγεςϜ = ͍ΖΜͳAPI• ೝূೝՄ͕༷ʑͳγʔϯͰൃੜ͢Δ• ͦΕͧΕϏδωεཁ݅ඍົʹҟͳΔͷͰ͖ͪΜͱϧʔϧͱͯ͠ཧ͍ͨ͠• Policy as Codeͷػӡ…ʂ• ೝূ => IdP, ೝՄ => ???
Open Policy AgentΛ༻͍ͨRBACڋ൱ڐՄڐՄϦιʔεAϦιʔεBA͞ΜB͞ΜσʔλϕʔεͷͳͲʹԠͯ͡ಈతʹΞΫηεΛڐՄ͢Δ͔அ͍ͨ͠
Open Policy AgentΛ༻͍ͨRBAChttps://www.openpolicyagent.org/docs/latest/external-data/• ϢʔβA͕ϦιʔεBͷΞΫηεΛͯ͠Α͍͔͕ಈతʹมΘΔέʔε• External DataΛ༻͍ͯղܾ
൚༻తͳΞʔΩςΫνϟ• ೝূೝՄͷ͘͠ΈΛςϯϓϨʔτԽ͍ͨ͠• Envoy + OPA + Backend API• Envoy: ೝՄήʔτΣΠ• OPA: ೝՄϙϦγʔΤϯδϯ• Backend API: ϏδωεϩδοΫ
൚༻తͳΞʔΩςΫνϟΫϥΠΞϯτೝՄใόοΫΤϯυ
ϦΫΤετ ϨεϙϯεͷྲྀΕϦΫΤετΫϥΠΞϯτೝՄใόοΫΤϯυڐՄ͞ΕΔύλʔϯ
ϦΫΤετ ϨεϙϯεͷྲྀΕϦΫΤετΫϥΠΞϯτೝՄใόοΫΤϯυڐՄೝՄใՃใڐՄ͞ΕΔύλʔϯ
ϦΫΤετ ϨεϙϯεͷྲྀΕϦΫΤετΫϥΠΞϯτೝՄใόοΫΤϯυϦΫΤετڐՄೝՄใՃใڐՄ͞ΕΔύλʔϯ
ϦΫΤετ ϨεϙϯεͷྲྀΕϦΫΤετΫϥΠΞϯτೝՄใόοΫΤϯυೝՄใՃใڋ൱ڋ൱͞ΕΔύλʔϯ
·ͱΊ
·ͱΊ• Open Policy Agentͱ͍͏OSSʹ͍ͭͯհ͠·ͨ͠• ϙϦγʔΤϯδϯͷ൚༻ੑʹ͍ͭͯհ͠·ͨ͠• ΞϓϦӡ༻ηϯλʔͰͷಋೖΞΠσΞʹ͍͓ͭͯ͠·ͨ͠• ࣮ࡍʹಋೖࣄྫ͕Ͱ͖ͨΒͲ͔͜Ͱൃද͍ͨ͠ͱࢥ͍·͢
͝ࢹௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ