Slide 1

Slide 1 text

גࣜձࣾαΠόʔΤʔδΣϯτ AIࣄۀຊ෦ ೖ໳Open Policy Agent Policy as CodeΛ໨ࢦͯ͠ ࠇ࡚ ༏ଠ

Slide 2

Slide 2 text

ࠇ࡚ ༏ଠ 2015೥౓ ৽ଔೖࣾ AIࣄۀຊ෦ DXຊ෦ ΞϓϦӡ༻ηϯλʔ @kurochan @kuro_m88 ج൫ٕज़੹೚ऀ 🆕 αΠόʔΤʔδΣϯτ CTO౷ׅࣨ #times_kurochan

Slide 3

Slide 3 text

ࠓճ͓࿩͢Δ಺༰ • Open Policy Agentͱ͍͏ιϑτ΢ΣΞʹ͍ͭͯͷ঺հ • Open Policy Agent͸ೝՄͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍͕ɺ ΋͏গ͠Ҿ͍ͯʮϙϦγʔʯͱ͍͏ࢹ఺͔Β঺հ • ΞϓϦӡ༻ηϯλʔͰಋೖ͢Δ༧ఆ͕͋ΔͷͰ ૝ఆ͍ͯ͠ΔϢʔεέʔεͷ঺հ

Slide 4

Slide 4 text

1.Open Policy Agentͱ͸ 2.Policy as Code 3.Open Policy Agentͷ࢖͍ํ 4.Open Policy Agentͷ࢖͍ॴ 5.ΞϓϦӡ༻ηϯλʔͰͷ Open Policy Agentͷಋೖ༧ఆ

Slide 5

Slide 5 text

Open Policy Agentͱ͸

Slide 6

Slide 6 text

Open Policy Agentͱ͸ • ܰྔͳ൚༻ͷʮϙϦγʔΤϯδϯʯ • ಠཱͯ͠ಈ͔͢͜ͱ΋Ͱ͖Δ͠ɺαʔϏεʹϥΠϒϥϦͱͯ͠౷߹͢Δ͜ͱ΋Մೳ • WebAssembly΋αϙʔτͯͨ͠Γ • OPAͱུ͞ΕΔ͜ͱ͕ଟ͍ • ΫΤϦʹରͯ͠ϙϦγʔΛద༻ɺ݁ՌΛੜ੒͢Δ • ϙϦγʔ͸Regoͱ͍͏ݴޠͰੜ੒͢Δ

Slide 7

Slide 7 text

"Policy"ͱ͸ • ϧʔϧͷू߹ • ೖྗΛ৚݅Ͱൺֱͨ͠Γ • rate limitͷΑ͏ʹಈతʹมΘΔΑ͏ͳ΋ͷͩͬͨΓ • ͦΕΒΛ૊Έ߹ΘͤͨΓ • ࠷ऴతʹԿ͔͠ΒͷҙࢥܾఆΛ͢Δ

Slide 8

Slide 8 text

ϙϦγʔΤϯδϯΛ෼཭͢Δͱ͍͏͜ͱ • ϙϦγʔͷ࣮૷͸೉͍͠ • ਖ਼࣮͘͠૷Ͱ͖·͔͢…ʁ • ෳࡶͳϙϦγʔ͸ϙϦγʔࣗମͷڍಈΛςετ͍ͨ͠ • ࠓճ͸ʮϙϦγʔΤϯδϯʯͱ͍͏෦඼͕༷ʑͳϢʔεέʔεʹద༻Մ ೳͰ͋Δ͜ͱΛ͓࿩͠·͢

Slide 9

Slide 9 text

Policy as Code

Slide 10

Slide 10 text

Policy as Code • XXX as Code • Infrastructure as CodeͳͲ • ϙϦγʔ͸ͦΕࣗମ͕γεςϜͷٕज़తͳ੍໿΍ηΩϡϦςΟͳͲɺ ॏཁͳ஌ࣝΛ಺แ͍ͯ͠Δ • ΞϓϦέʔγϣϯίʔυதʹຒΊࠐ·ΕΔΑΓϙϦγʔͱͯ͠ ಠཱͯ͠ఆٛ͢Δ͜ͱͰ҉໧஌Խ͢Δ͜ͱ΋๷͙͜ͱ͕Ͱ͖Δ

Slide 11

Slide 11 text

Rego • ϙϦγʔΛهड़͢ΔͨΊͷݴޠ • ߏ଄Խ͞Ε͍ͯͯ֊૚తͳσʔλߏ଄Λ࣋ͯΔ • JSONͷΑ͏ͳߏ଄΋ѻ͑Δ • ϙϦγʔͷద༻݁Ռ΋ಉ༷ʹॊೈͳσʔλߏ଄ͰදݱͰ͖Δ • ೖग़ྗͷσʔλߏ଄͕͔ͳΓࣗ༝ • ৚݅ࣜ΍ؔ਺΋ॆ࣮

Slide 12

Slide 12 text

Regoͷจ๏ྫ • งғؾ͚ͩ঺հ͠·͢ • ਖ਼͍͠จ๏͸ެࣜυΩϡϝϯτΛࢀর͍ͯͩ͘͠͞ https://www.openpolicyagent.org/docs/latest/policy-language/

Slide 13

Slide 13 text

Regoͷจ๏ྫ: ม਺

Slide 14

Slide 14 text

Regoͷจ๏ྫ: Object

Slide 15

Slide 15 text

Regoͷจ๏ྫ: Rule

Slide 16

Slide 16 text

Regoͷจ๏ྫ: Rule

Slide 17

Slide 17 text

Regoͷจ๏ྫ: ৚݅ • ࢛ଇԋࢉɺ౳߸ɺෆ౳߸ɺϏοτԋࢉͳͲ͸΋ͪΖΜఆٛ͞Ε͍ͯΔ͕ ͜ΕΒ͸͢΂ͯϏϧτΠϯؔ਺ͱͯ͠ѻΘΕΔ

Slide 18

Slide 18 text

Regoͷจ๏ྫ: ϏϧτΠϯؔ਺ • Ϗοτԋࢉɺू߹ԋࢉɺਖ਼نදݱɺจࣈྻૢ࡞ • Base64ɺURLɺJSON/YAMLɺUUID • ࣌ࠁ • άϥϑ • ωοτϫʔΫ • τʔΫϯ(JWTͳͲ) • ଞʹ΋ศརͳؔ਺͕࠷ॳ͔Βͨ͘͞Μ༻ҙ͞Ε͍ͯΔ

Slide 19

Slide 19 text

؆୯ͳྫ • HTTPϦΫΤετͷೝՄ • user "alice" ͸ /hello ʹରͯ͠GETϦΫΤετ͕Ͱ͖Δ

Slide 20

Slide 20 text

The Rego Playground • ϒϥ΢β্ͰRegoΛॻ͍ͯࢼͤͯศར https://play.openpolicyagent.org/

Slide 21

Slide 21 text

Testable • ςετ͕ॻ͚Δʂ

Slide 22

Slide 22 text

Testable • ςετ͕ॻ͚Δʂ

Slide 23

Slide 23 text

Open Policy Agentͷ࢖͍ํ

Slide 24

Slide 24 text

REST API

Slide 25

Slide 25 text

ೝՄػೳΛඋ͑ͨAPI • ೝূͱೝՄ • ೝূ(Authenticate) • ʮ୭ͳͷ͔ʯΛࣝผ͢Δ • ೝՄ(Authorize) • ʮԿ͕Ͱ͖Δͷ͔(Ͱ͖ͳ͍ͷ͔)ʯΛ൑அ͢Δ

Slide 26

Slide 26 text

RBACΛ࣮૷ͯ͠ΈΔ

Slide 27

Slide 27 text

External Data • ͜͜·Ͱͷྫͩͱuser_roles΍role_permissions૬౰͸ݻఆ • ࣮༻్Ͱ͸ಈతʹมԽͤͨ͞Γ૿ݮ͍ͤͨ͞ • ϙϦγʔΛධՁ͢Δʹ͋ͨͬͯඞཁͳ৘ใΛ֎෦͔Βऔಘ͢Δ࢓૊Έ

Slide 28

Slide 28 text

ϦΫΤετʹຒΊࠐΉ • ϦΫΤετΛૹ৴͢Δଆ͕෇Ճ৘ใΛૹ৴͢Δ • ΋ͪΖΜૹΒΕͯ͘Δ஋͕৴༻Ͱ͖ͳ͍ͱμϝ • ৴༻Ͱ͖Δͱ͍͏લఏ͔ɺ JWTͳͲͰॺ໊͞Εͨ஋Λݕূͯ͠࢖͏͔ https://www.openpolicyagent.org/docs/latest/external-data/

Slide 29

Slide 29 text

σʔλΛ౉͢(push) • ֎෦͔Βߋ৽͕͋Δ౓ʹpush͢Δ • ಉظ࿙Εͱ͔ϥά͕ى͖Δͱ͜Θ͍͔΋ • ͋·Γେ͖ͳσʔλ͸஗Εͳ͍ https://www.openpolicyagent.org/docs/latest/external-data/

Slide 30

Slide 30 text

σʔλΛ΋Β͏(pull) • OPA͕ಈతʹ֎෦ͷAPIΛݺͼग़ͤΔ(B) • OPAͷϨεϙϯελΠϜ͸૿Ճ͢Δ • ॊೈʹ࿈ܞ͠΍ͦ͢͏ https://www.openpolicyagent.org/docs/latest/external-data/

Slide 31

Slide 31 text

Testing

Slide 32

Slide 32 text

ςετ • ϙϦγʔͱಉ͡σΟϨΫτϦʹςετϑΝΠϧΛஔ͘ • "test_"Ͱ࢝·Δϧʔϧ͕ධՁ͞ΕɺͦΕ͕ςετʹͳΔ • opa testίϚϯυͰςετ͕࣮ߦͰ͖Δ • ΧόϨοδܭଌ΋Մೳ

Slide 33

Slide 33 text

஋ͷϞοΫ • withΩʔϫʔυͰ஋Λஔ͖׵͑ΒΕΔ

Slide 34

Slide 34 text

Open Policy Agentͷ࢖͍Ͳ͜Ζ

Slide 35

Slide 35 text

Open Policy Agentͷ࢖͍Ͳ͜Ζ • Kubernetesͷݖݶ؅ཧͷจ຺Ͱ঺հ͞ΕΔ͜ͱ͕ଟ͍ҹ৅ • ͦΕҎ֎ͷ༻్Λத৺ʹ঺հ͠·͢

Slide 36

Slide 36 text

Envoy

Slide 37

Slide 37 text

Envoyͱ͸ https://speakerdeck.com/kurochan/ru-men-envoy

Slide 38

Slide 38 text

Envoyͱ͸ • OSSͷL4/L7ϓϩΩγ • ʮϞμϯͳαʔϏεࢦ޲ΞʔΩςΫνϟʯ޲͚ • ʮϢχόʔαϧσʔλϓϨʔϯʯΛ໨ࢦͯ͠։ൃ͞Ε͍ͯΔ • ύϑΥʔϚϯεʹ༏Εɺ֦ுੑ͕ߴ͘ɺAPIܦ༝ͰίϯτϩʔϧՄೳ https://www.envoyproxy.io/docs/envoy/latest/intro/what_is_envoy

Slide 39

Slide 39 text

Envoy࿈ܞ • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ https://www.openpolicyagent.org/docs/latest/envoy-introduction/

Slide 40

Slide 40 text

Envoy࿈ܞ • EnvoyͱOPAΛ࿈ܞͤͯ͞ೝՄػೳ෇͖ͷήʔτ΢ΣΠΛߏ੒Մೳ • ೝՄ͞ΕͨτϥϑΟοΫ͔͠௨ա͠ͳ͍ • ޙஈͷΞϓϦέʔγϣϯαʔό౳ͷ࣮૷ָ͕ʹͳΔ

Slide 41

Slide 41 text

Terraform

Slide 42

Slide 42 text

TerraformʹϙϦγʔΛద༻͢Δʁ • terraform.analysisͱ͍͏ύοέʔδ͕༻ҙ͞Ε͍ͯΔ • terraform planͷ݁Ռ͕ҙਤ͍ͯ͠Δ͔Ͳ͏͔ͷνΣοΫ͕Ͱ͖Δ • CIͳͲʹ૊ΈࠐΉͱࣄނ๷ࢭͷνΣοΫʹͳΔ • ྫ • ෆ༻ҙʹIAMͷઃఆมߋ͕͞Ε͍ͯͳ͍͔ʁ • ࣮ߦͨ͠ਓ͕؅ཧऀͰ͋Ε͹OKͳͲͷίϯςΩετ΋࣋ͨͤΒΕͦ͏ • Ұఆͷᮢ஋Ҏ্ͷมߋ͕Ұ౓ʹͳ͞Ε͍ͯͳ͍͔ʁ • ޡͬͯ؀ڥΛഁյ͞Εͳ͍Α͏ʹͰ͖ͦ͏

Slide 43

Slide 43 text

Terraform࿈ܞͷྫ • terraform planͷ݁Ռʹରͯ͠ϙϦγʔΛద༻͢Δ

Slide 44

Slide 44 text

ϩά؂ࢹ

Slide 45

Slide 45 text

ϩάʹϙϦγʔΛద༻͢ΔͱͲ͏ͳΔͷ͔ • ϩά؂ࢹͰΑ͘΍Δ͜ͱ • ΤϥʔΧ΢ϯτ • ҟৗ஋ͷݕग़ • ෳࡶͳ৚݅Ͱͷϩά؂ࢹ • ಛఆͷIPΞυϨε͔Βͷෆਖ਼ͳΞΫηε • S3όέοτͷՄࢹൣғͷઃఆมߋ • ͳͲ • ͦΕɺOPAͰݕग़Ͱ͖ΔͷͰ͸…ʁ • Կ͔ͷҙࢥܾఆΛ͢ΔҎ֎ʹ΋ɺಛఆ৚݅ͷΞΫςΟϏςΟͷݕग़ʹ΋͔ͭ͑Δʂ

Slide 46

Slide 46 text

ΧελϚΠζ

Slide 47

Slide 47 text

͜͜·ͰͰ෼͔ͬͨ͜ͱ • Open Policy Agent͸೚ҙͷೖྗʹରͯ͠ϙϦγʔΛద༻ͨ݁͠ՌΛ ฦ͢ύʔπͱ͔ͯ͠ͳΓ൚༻ੑ͕ߴ͍ • Open Policy AgentΛαʔϏεʹ૊ΈࠐΜͰ࢖͏ʹ͸ Ͳ͏͢Ε͹Α͍ͷ͔

Slide 48

Slide 48 text

REST API • input JSONͰPOST͢ΔͱɺϨεϙϯε͕JSONͰฦͬͯ͘Δ

Slide 49

Slide 49 text

Go API • GolangͷϥΠϒϥϦͱͯ͠ݺͼग़͢͜ͱ͕Մೳ

Slide 50

Slide 50 text

ΞϓϦӡ༻ηϯλʔͰͷ Open Policy AgentͷಋೖΞΠσΞ

Slide 51

Slide 51 text

ΞϓϦӡ༻ηϯλʔͱ͸ • 140ஹԁͷڊେࢢ৔ɺখചۀքͷ࠶ൃ໌ʹ௅Ή։ൃϓϩδΣΫτ https://speakerdeck.com/kurochan/retail-dx-project

Slide 52

Slide 52 text

ΞϓϦӡ༻ηϯλʔͰ։ൃ͍ͯ͠ΔγεςϜͨͪ • ڠಇൢଅ޲͚γεςϜ • ձһΞϓϦ • ECαΠτ • σʔλج൫ • ͜ΕΒͷ؅ཧը໘ • ༷ʑͳϙϦγʔͰΞΫηε੍ޚΛ͍ͨ͠

Slide 53

Slide 53 text

ΞϓϦӡ༻ηϯλʔͱ͸ • খചۀքͷDXΛਪਐ͢ΔϓϩμΫτΛ։ൃ͢Δ෦ॺ • ͍ΖΜͳγεςϜΛ։ൃ͢Δ • ͍ΖΜͳγεςϜ = ͍ΖΜͳAPI • ೝূೝՄ͕༷ʑͳγʔϯͰൃੜ͢Δ • ͦΕͧΕϏδωεཁ݅΋ඍົʹҟͳΔͷͰ͖ͪΜͱϧʔϧͱͯ͠؅ཧ͍ͨ͠ • Policy as Codeͷػӡ…ʂ • ೝূ => IdP, ೝՄ => ???

Slide 54

Slide 54 text

Open Policy AgentΛ༻͍ͨRBAC ڋ൱ ڐՄ ڐՄ ϦιʔεA ϦιʔεB A͞Μ B͞Μ σʔλϕʔεͷ஋ͳͲʹԠͯ͡ಈతʹΞΫηεΛڐՄ͢Δ͔൑அ͍ͨ͠

Slide 55

Slide 55 text

Open Policy AgentΛ༻͍ͨRBAC https://www.openpolicyagent.org/docs/latest/external-data/ • ϢʔβA͕ϦιʔεB΁ͷΞΫηεΛͯ͠Α͍͔͕ಈతʹมΘΔέʔε • External DataΛ༻͍ͯղܾ

Slide 56

Slide 56 text

൚༻తͳΞʔΩςΫνϟ • ೝূೝՄͷ͘͠ΈΛςϯϓϨʔτԽ͍ͨ͠ • Envoy + OPA + Backend API • Envoy: ೝՄήʔτ΢ΣΠ • OPA: ೝՄϙϦγʔΤϯδϯ • Backend API: ϏδωεϩδοΫ

Slide 57

Slide 57 text

൚༻తͳΞʔΩςΫνϟ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ

Slide 58

Slide 58 text

ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ͞ΕΔύλʔϯ

Slide 59

Slide 59 text

ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ͞ΕΔύλʔϯ

Slide 60

Slide 60 text

ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ ڐՄ͞ΕΔύλʔϯ

Slide 61

Slide 61 text

ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ϦΫΤετ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ ڐՄ͞ΕΔύλʔϯ

Slide 62

Slide 62 text

ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ϦΫΤετ ڐՄ ೝՄ৘ใ ෇Ճ৘ใ ڐՄ͞ΕΔύλʔϯ

Slide 63

Slide 63 text

ϦΫΤετ ϨεϙϯεͷྲྀΕ ϦΫΤετ ΫϥΠΞϯτ ೝՄ৘ใ όοΫΤϯυ ೝՄ৘ใ ෇Ճ৘ใ ڋ൱ ڋ൱͞ΕΔύλʔϯ

Slide 64

Slide 64 text

·ͱΊ

Slide 65

Slide 65 text

·ͱΊ • Open Policy Agentͱ͍͏OSSʹ͍ͭͯ঺հ͠·ͨ͠ • ϙϦγʔΤϯδϯͷ൚༻ੑʹ͍ͭͯ঺հ͠·ͨ͠ • ΞϓϦӡ༻ηϯλʔͰͷಋೖΞΠσΞʹ͍͓ͭͯ࿩͠·ͨ͠ • ࣮ࡍʹಋೖࣄྫ͕Ͱ͖ͨΒͲ͔͜Ͱൃද͍ͨ͠ͱࢥ͍·͢

Slide 66

Slide 66 text

͝ࢹௌ͋Γ͕ͱ͏͍͟͝·ͨ͠ɻ