Slide 1

Slide 1 text

Introduction to Open Policy Agent Bo-Yi Wu 2021/10/23

Slide 2

Slide 2 text

About me • Software Engineer in Mediatek • Member of Drone CI/CD Platform • Member of Gitea Platform • Member of Gin Golang Framework • Maintain Some GitHub Actions Plugins.

Slide 3

Slide 3 text

Outline • Why we need Policy Engine? • Why we choose Open Policy Agent? • Work fl ow with Open Policy Agent? • What is Policy Language (Rego)? • RBAC and IAM Role Design • Three ways to deploy Open Policy Agent.

Slide 4

Slide 4 text

Why we need Policy Engine?

Slide 5

Slide 5 text

1. RBAC is Hard

Slide 6

Slide 6 text

4JNQMF(SPVQ 1FSNJTTJPO

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

{ "group_roles": { "project_leader": ["kpi_editor_design", "viewer_limit_ds"], "software_leader": ["kpi_editor_design", "kpi_editor_system"] }, "role_permissions": { "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "viewer_limit_ds": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"} ], "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "kpi_editor_system": [ {"action": "view_all", "object": "system"}, {"action": "edit", "object": "system"} ] } }

Slide 9

Slide 9 text

2. Cross Multi-Service

Slide 10

Slide 10 text

1FSNJTTJPOGPSNVMUJQMFTFSWJDF

Slide 11

Slide 11 text

3. Applying to Multi-System

Slide 12

Slide 12 text

1FSNJTTJPOGPSNVMUJQMFTZTUFN

Slide 13

Slide 13 text

Why we choose Open Policy Agent?

Slide 14

Slide 14 text

Open Policy Engine • Written in Golang • Easy to write policy testing • Easy to integrate with Go Application • Embed in GO • RESTful API

Slide 15

Slide 15 text

Request Work fl ow with Open Policy Agent

Slide 16

Slide 16 text

Client Send Request

Slide 17

Slide 17 text

Client Send Request Ask Permission

Slide 18

Slide 18 text

Client Send Request Ask Permission Response Result

Slide 19

Slide 19 text

Client Send Request Ask Permission Response Result Response to Client

Slide 20

Slide 20 text

Query Input and Result with policy engine

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

Upload Data

Slide 23

Slide 23 text

Upload Data Upload Policy Rule

Slide 24

Slide 24 text

Upload Data Upload Policy Rule Send Query Input *OQVUDBOCF "/:+40/WBMVF

Slide 25

Slide 25 text

Upload Data Upload Policy Rule Send Query Input Get Query Result *OQVUDBOCF "/:+40/WBMVF 0VUQVUDBOCF "/:+40/WBMVF

Slide 26

Slide 26 text

Policy Decision • Data (JSON) • Policy (Rego) • Query Input (JSON)

Slide 27

Slide 27 text

RBAC Example (Role-base Access Control)

Slide 28

Slide 28 text

{ "group_roles": { "project_leader": ["kpi_editor_design", "viewer_limit_ds"], "software_leader": ["kpi_editor_design", "kpi_editor_system"] }, "role_permissions": { "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "viewer_limit_ds": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"} ], "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "kpi_editor_system": [ {"action": "view_all", "object": "system"}, {"action": "edit", "object": "system"} ] } } %BUB

Slide 29

Slide 29 text

{ "group_roles": { "project_leader": ["kpi_editor_design", "viewer_limit_ds"], "software_leader": ["kpi_editor_design", "kpi_editor_system"] }, "role_permissions": { "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "viewer_limit_ds": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"} ], "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "kpi_editor_system": [ {"action": "view_all", "object": "system"}, {"action": "edit", "object": "system"} ] } } 3PMF

Slide 30

Slide 30 text

{ "group_roles": { "project_leader": ["kpi_editor_design", "viewer_limit_ds"], "software_leader": ["kpi_editor_design", "kpi_editor_system"] }, "role_permissions": { "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "viewer_limit_ds": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"} ], "kpi_editor_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"} ], "kpi_editor_system": [ {"action": "view_all", "object": "system"}, {"action": "edit", "object": "system"} ] } } (SPVQ

Slide 31

Slide 31 text

{ "input": { "user": ["project_leader", "software_leader"], "action": "edit", "object": "design" } } *OQVU

Slide 32

Slide 32 text

{ "input": { "user": ["project_leader", "software_leader"], "action": "edit", "object": "design" } } 6TFSHSPVQT

Slide 33

Slide 33 text

package rbac.authz import data.rbac.authz.acl import input # logic that implements RBAC. default allow = false allow { # lookup the list of roles for the user roles : = acl.group_roles[input.user[_]] # for each role in that list r : = roles[_] # lookup the permissions list for role r permissions : = acl.role_permissions[r] # for each permission p : = permissions[_] # check if the permission granted to r matches the user's request p = = {"action": input.action, "object": input.object} } 1PMJDZ

Slide 34

Slide 34 text

Policy Language (Rego)

Slide 35

Slide 35 text

Rego Playground 
 https://play.openpolicyagent.org/

Slide 36

Slide 36 text

rule01 { input.x < input.y } rule02 = "foobar" { input.x < input.y } rule03 = x { x : = input.x x < input.y } %F fi OF3VMF IUUQTQMBZPQFOQPMJDZBHFOUPSHQ7"IJ/[YN

Slide 37

Slide 37 text

rule01 { input.x < input.y } rule02 = "foobar" { input.x < input.y } rule03 = x { x : = input.x x < input.y } %F fi OF3VMF SFUVSOCPPMFBO

Slide 38

Slide 38 text

rule01 { input.x < input.y } rule02 = "foobar" { input.x < input.y } rule03 = x { x : = input.x x < input.y } %F fi OF3VMF SFUVSOCPPMFBO SFUVSOTUSJOH

Slide 39

Slide 39 text

rule01 { input.x < input.y } rule02 = "foobar" { input.x < input.y } rule03 = x { x : = input.x x < input.y } %F fi OF3VMF SFUVSOCPPMFBO SFUVSOTUSJOH SFUVSOWBSJBCMF

Slide 40

Slide 40 text

rule01 { input.x < input.y input.y < input.z } rule02 { input.x < input.y } rule02 { input.y < input.z } "OE0SDPOEJUJPO BOEDPOEJUJPO PSDPOEJUJPO IUUQTQMBZPQFOQPMJDZBHFOUPSHQ-Q1STV

Slide 41

Slide 41 text

default rule01 = false default rule02 = false rule01 { input.x < input.y input.y < input.z } rule02 { input.x < input.y } rule02 { input.y < input.z } EFGBVMUWBMVF

Slide 42

Slide 42 text

func allow() bool { if input.group = = "admin" { return true } if input.user = = data.admin { return true } return false } default allow = false allow { input.group = = "admin" } allow { input.user = = data.admin } (PMBOH 3FHP

Slide 43

Slide 43 text

numbers = [1, 2, 3, 4, 5] rule[x] { x : = numbers[_] x % 2 = = 0 } containers = { "app": { "image": "app:18.04" }, "db": { "image": "db:latest" } } rule01[key] = image { image : = containers[key].image endswith(image, ":latest") } 'JOEFWFOOVNCFS 'JOEMBUFTUJNBHF

Slide 44

Slide 44 text

numbers = [1, 2, 3, 4, 5] rule01 { x : = numbers[_] x < 0 } rule02 { not rule01 } positives { negative : = [x | x : = numbers[_]; x < 0] count(negative) = = 0 } numbers = [1, 2, 3, 4, 5] rule { x : = numbers[_] x > 0 } "OZOVNCFS HSFBUFSUIBO;FSP numbers = [-1, 2, 3, 4, 5] rule { x : = numbers[_] x > 0 } "MMOVNCFS HSFBUFSUIBO;FSP

Slide 45

Slide 45 text

numbers = [1, 2, 3, 4, 5] rule01 { x : = numbers[_] x < 0 } rule02 { not rule01 } positives { negative : = [x | x : = numbers[_]; x < 0] count(negative) = = 0 } numbers = [1, 2, 3, 4, 5] rule { x : = numbers[_] x > 0 } numbers = [-1, 2, 3, 4, 5] rule { x : = numbers[_] x > 0 } "OZOVNCFS HSFBUFSUIBO;FSP "MMOVNCFS HSFBUFSUIBO;FSP

Slide 46

Slide 46 text

numbers = [1, 2, 3, 4, 5] rule01 { x : = numbers[_] x < 0 } rule02 { not rule01 } positives { negative : = [x | x : = numbers[_]; x < 0] count(negative) = = 0 } numbers = [1, 2, 3, 4, 5] rule { x : = numbers[_] x > 0 } numbers = [-1, 2, 3, 4, 5] rule { x : = numbers[_] x > 0 } "OZOVNCFS HSFBUFSUIBO;FSP "MMOVNCFS HSFBUFSUIBO;FSP

Slide 47

Slide 47 text

func rule() []string { results : = []string{} for _, img : = range images { for _, repo : = range repos { if strings.HasPref i x(img, repo) { results = append(results, img) } } } return results } images = [ "docker.io/nginx", "quay.io/ubuntu", "localhost/nginx" ] repos = [ "docker.io", "quay.io" ] rule[image] { image = images[_] startswith(image, repos[_]) } 3FHP (P-BOHVBHF

Slide 48

Slide 48 text

OPA Testing

Slide 49

Slide 49 text

rule07verify(answer) { rule07.db = = answer } test_rule07 { rule07verify("db:latest") with input as {"containers": { "app": {"image": "app:18.04"}, "db": {"image": "db:latest"}, }} not rule07verify("db:latest") with input as {"containers": { "app": {"image": "app:18.04"}, "db": {"image": "postgres:latest"}, }} }

Slide 50

Slide 50 text

rule12verify(answer) { count(rule12) = = answer } test_rule12 { rule12verify(2) with input as { "images": [ "docker.io/nginx", "quay.io/ubuntu", "localhost/nginx", ], "repos": [ "docker.io", "quay.io", ], } } rule12[image] { image = input.images[_] startswith(image, input.repos[_]) } 3VMF 5FTUJOH

Slide 51

Slide 51 text

$ opa test - v . data.example.test_rule01 : PASS (5.9055ms) data.example.test_rule02 : PASS (157.292µs) data.example.test_rule03 : PASS (839.958µs) data.example.test_rule04 : PASS (150.125µs) data.example.test_rule05 : PASS (3.447417ms) data.example.test_rule06 : PASS (224.833µs) data.example.test_rule07 : PASS (721.959µs) data.example.test_rule08 : PASS (354.917µs) data.example.test_rule09 : PASS (207.583µs) data.example.test_rule11 : PASS (169.708µs) data.example.test_rule12 : PASS (198.042µs) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PASS : 11/11 IUUQTHJUIVCDPNHPUSBJOJOHPQBEFNP

Slide 52

Slide 52 text

Upload Data and Policy

Slide 53

Slide 53 text

No content

Slide 54

Slide 54 text

{ "group_roles": { "admin": ["admin"], "project_leader": ["viewer_limit_ds"] }, "role_permissions": { "admin": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"}, ], "viewer_limit_ds": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"} ], "viewer_limit_m": [{"action": "view_l3_project"}] } } %BUB

Slide 55

Slide 55 text

{ "group_roles": { "admin": ["admin"], "project_leader": ["viewer_limit_ds"] }, "role_permissions": { "admin": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"}, ], "viewer_limit_ds": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"} ], "viewer_limit_m": [{"action": "view_l3_project"}] } } package rbac.authz import data.rbac.authz.acl import input default allow = false allow { roles := acl.group_roles[input.user[_]] r := roles[_] permissions := acl.role_permissions[r] p := permissions[_] p == {"action": input.action, "object": input.object} } %BUB 1PMJDZ

Slide 56

Slide 56 text

Query Result

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

{ "input": { "user": ["admin", "system_group_kpi_editor"], "action": "edit", "object": "design" } } *OQVU

Slide 59

Slide 59 text

{ "input": { "user": ["admin", "system_group_kpi_editor"], "action": "edit", "object": "design" } } { "result": true } *OQVU 3FTVMU

Slide 60

Slide 60 text

RBAC Design

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

Login Flow

Slide 63

Slide 63 text

/ / GetUserGroupNames get user groups func GetUserGroupNames(username string) ([]string, error) { if !helper.IsUsername(username) { return []string{}, errors.EBadRequest(errors.ErrUserNotExist, nil) } result : = &getUserGroups{} response, err : = resty.New().R(). SetHeader("Content-Type", "application/json"). SetHeader("Accept", "application/json"). SetQueryParam("username", username). SetBasicAuth(conf i g.Crowd.BasicUsername, conf i g.Crowd.BasicPassword). SetResult(result). Get(conf i g.Crowd.Address + "/user/group/nested") if err ! = nil { return []string{}, err } if response.StatusCode() ! = http.StatusOK { log.Error().Msg("failed to get user groups from crowd:" + response.String()) } groups : = []string{} for _, v : = range result.Groups { if strings.HasPref i x(v.Name, "prime_") { groups = append(groups, v.Name) } } return groups, err }

Slide 64

Slide 64 text

3PMF1FSNJTTJPO

Slide 65

Slide 65 text

3PMF1FSNJTTJPO

Slide 66

Slide 66 text

# role - permissions assignments role_permissions : = { "admin": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"}, {"action": "view_all", "object": "system"}, {"action": "edit", "object": "system"}, {"action": "view_all", "object": "manufacture"}, {"action": "edit", "object": "manufacture"}, ], "quality_head_design": [ {"action": "view_all", "object": "design"}, {"action": "edit", "object": "design"}, {"action": "view_all", "object": "system"}, {"action": "view_all", "object": "manufacture"}, ], "quality_head_system": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"}, {"action": "edit", "object": "system"}, {"action": "view_all", "object": "manufacture"}, ], "quality_head_manufacture": [ {"action": "view_all", "object": "design"}, {"action": "view_all", "object": "system"}, {"action": "view_all", "object": "manufacture"}, {"action": "edit", "object": "manufacture"}, ], }

Slide 67

Slide 67 text

3PMF1FSNJTTJPO

Slide 68

Slide 68 text

# user - role assignments group_roles : = { "prime_cqc_admin": ["admin"], "prime_cqc_design_quality_head": ["quality_head_design"], "prime_cqc_system_quality_head": ["quality_head_system"], "prime_cqc_manufacturing_quality_head": ["quality_head_manufacture"], "prime_cqc_design_kpi_editor": ["kpi_editor_design"], "prime_cqc_system_kpi_editor": ["kpi_editor_system"], "prime_cqc_manufacturing_kpi_editor": ["kpi_editor_manufacture"], "prime_cqc_viewer": ["viewer"], "prime_cqc_limitedviewer_design_system": ["viewer_limit_ds"], "prime_cqc_limitedviewer_manufacturing": ["viewer_limit_m"], }

Slide 69

Slide 69 text

3PMF1FSNJTTJPO

Slide 70

Slide 70 text

# user - role assignments group_roles : = { # for testing "design_group_kpi_editor": ["kpi_editor_design", "viewer_limit_ds"], "system_group_kpi_editor": ["kpi_editor_system", "viewer_limit_ds"], "manufacture_group_kpi_editor": ["kpi_editor_manufacture", "viewer"], "project_leader": ["viewer_limit_ds", "viewer_limit_m"], }

Slide 71

Slide 71 text

RBAC Testing

Slide 72

Slide 72 text

test_design_group_kpi_editor { allow with input as {"user": ["design_group_kpi_editor"], "action": "view_all", "object": "design"} allow with input as {"user": ["design_group_kpi_editor"], "action": "edit", "object": "design"} allow with input as {"user": ["design_group_kpi_editor"], "action": "view_all", "object": "system"} not allow with input as {"user": ["design_group_kpi_editor"], "action": "edit", "object": "system"} not allow with input as {"user": ["design_group_kpi_editor"], "action": "view_all", "object": "manufacture"} not allow with input as {"user": ["design_group_kpi_editor"], "action": "edit", "object": "manufacture"} }

Slide 73

Slide 73 text

$ opa test - v ./module/opa/policy / * .rego data.rbac.authz.test_design_group_kpi_editor: PASS (13.0495ms) data.rbac.authz.test_system_group_kpi_editor: PASS (2.158583ms) data.rbac.authz.test_manufacture_group_kpi_editor: PASS (2.235167ms) data.rbac.authz.test_project_leader: PASS (1.90625ms) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PASS : 4/4

Slide 74

Slide 74 text

How about Dynamic Actions and Dynamic Resources?

Slide 75

Slide 75 text

"NB[POF8FC4FSWJDF*".

Slide 76

Slide 76 text

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FirstStatement", "Effect": "Allow", "Action": ["iam:ChangePassword"], "Resource": "*" }, { "Sid": "SecondStatement", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "ThirdStatement", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ] } ] } "NB[POF8FC 4FSWJDF*".

Slide 77

Slide 77 text

package aws default allow = false allow { actions_match resources_match } actions_match { # iterate over the actions in the list actions : = ["s3 : List.*","s3 : Get.*"] action : = actions[_] # check if input.action matches an action regex.globs_match(input.action, action) } resources_match { # iterate over the resources in the list resources : = ["arn:aws:s3 : : : conf i dential - data","arn:aws:s3 : : : conf i dential - data/.*"] resource : = resources[_] # check if input.resource matches a resource regex.globs_match(input.resource, resource) } IUUQTXXXPQFOQPMJDZBHFOUPSHEPDTMBUFTUDPNQBSJTPOUPPUIFSTZTUFNTBNB[POXFCTFSWJDFTJBN { "Version": "2012-10-17", "Statement": [ { "Sid": "FirstStatement", "Effect": "Allow", "Action": ["iam:ChangePassword"], "Resource": "*" }, { "Sid": "SecondStatement", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "ThirdStatement", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ] } ] } 1PMJDZ %BUB

Slide 78

Slide 78 text

package aws default allow = false allow { actions_match resources_match } actions_match { # iterate over the actions in the list actions : = ["s3 : List.*","s3 : Get.*"] action : = actions[_] # check if input.action matches an action regex.globs_match(input.action, action) } resources_match { # iterate over the resources in the list resources : = ["arn:aws:s3 : : : conf i dential - data","arn:aws:s3 : : : conf i dential - data/.*"] resource : = resources[_] # check if input.resource matches a resource regex.globs_match(input.resource, resource) } IUUQTXXXPQFOQPMJDZBHFOUPSHEPDTMBUFTUDPNQBSJTPOUPPUIFSTZTUFNTBNB[POXFCTFSWJDFTJBN { "Version": "2012-10-17", "Statement": [ { "Sid": "FirstStatement", "Effect": "Allow", "Action": ["iam:ChangePassword"], "Resource": "*" }, { "Sid": "SecondStatement", "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Sid": "ThirdStatement", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::confidential-data", "arn:aws:s3:::confidential-data/*" ] } ] } 1PMJDZ %BUB

Slide 79

Slide 79 text

How to resolve Multiple Statement and Multiple Effect?

Slide 80

Slide 80 text

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FirstStatement", "Effect": "Allow", "Action": ["iam:ChangePassword"], "Resource": "*" }, { "Sid": "SecondStatement", "Effect": "Deny", "Action": "s3:GetFile", "Resource": "*" }, { "Sid": "ThirdStatement", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ] } ] } 1FSNJTTJPO%BUB { "action": "s3:GetFile", "Resource": "arn:aws:s3:::bucket" } *OQVU%BUB

Slide 81

Slide 81 text

{ "Version": "2012-10-17", "Statement": [ { "Sid": "FirstStatement", "Effect": "Allow", "Action": ["iam:ChangePassword"], "Resource": "*" }, { "Sid": "SecondStatement", "Effect": "Deny", "Action": "s3:GetFile", "Resource": "*" }, { "Sid": "ThirdStatement", "Effect": "Allow", "Action": [ "s3:List*", "s3:Get*" ], "Resource": [ "arn:aws:s3:::bucket", "arn:aws:s3:::bucket/*" ] } ] } 1FSNJTTJPO%BUB { "action": "s3:GetFile", "Resource": "arn:aws:s3:::bucket" } *OQVU%BUB

Slide 82

Slide 82 text

package iam.authz default authorized = false has_resource[statement_id] { statement_resource : = data.statements[statement_id].resources[_] regex.globs_match(input.resource, statement_resource) } has_action[statement_id] { statement_resource : = data.statements[statement_id].actions[_] regex.globs_match(input.action, statement_resource) } match[[effect, statement_id]] { effect : = data.statements[statement_id].effect has_resource[statement_id] has_action[statement_id] } allow { match[["allow", _]] } deny { match[["deny", _]] } authorized { allow not deny }

Slide 83

Slide 83 text

Three Ways to Deploy Open Policy Agent

Slide 84

Slide 84 text

Architectural Flexibility • Embed in Go Application • Deploy in Single Project (REST API) • Deploy one OPA service (REST API)

Slide 85

Slide 85 text

Embed in Go Application

Slide 86

Slide 86 text

Deploy in Single Project

Slide 87

Slide 87 text

Deploy one OPA service

Slide 88

Slide 88 text

AWS Lambda Function With OPA

Slide 89

Slide 89 text

Thanks