feat(authz): add opa bundle support #3194
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
…o authz-opa-sdk * 'authz-opa-sdk' of https://github.com/flipt-io/flipt: docs: add mbezhanov as a contributor for code (#3197) feat: support environment variable substitution in config files (#3195)
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
|
marking this ready for a first pass while I work on the schema updates and testing with s3 |
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
markphelps
commented
Jun 20, 2024
markphelps
commented
Jun 20, 2024
| Data *AuthorizationSourceConfig `json:"data,omitempty" mapstructure:"data,omitempty" yaml:"data,omitempty"` | ||
| Required bool `json:"required,omitempty" mapstructure:"required" yaml:"required,omitempty"` | ||
| Backend AuthorizationBackend `json:"backend,omitempty" mapstructure:"backend" yaml:"backend,omitempty"` | ||
| Local *AuthorizationLocalConfig `json:"local,omitempty" mapstructure:"local,omitempty" yaml:"local,omitempty"` |
There was a problem hiding this comment.
note: this is a breaking config change, but since its still marked experimental i think its ok__
markphelps
commented
Jun 20, 2024
| } | ||
|
|
||
| tmpl = fmt.Sprintf(` | ||
| services: |
There was a problem hiding this comment.
this is gross i'll admit, but its how the OPA SDK has to be configured https://github.com/open-policy-agent/opa/blob/f05497530d337dfd30dbd31851209d3a25c1cf95/sdk/options.go#L27
There was a problem hiding this comment.
I went looking to see if they at-least had a struct they use to parse it back out, so we could use that and marshal it before we pass it, but even theres is just a pile of json RawMessage:
https://github.com/open-policy-agent/opa/blob/f05497530d337dfd30dbd31851209d3a25c1cf95/config/config.go#L23-L48
GeorgeMac
reviewed
Jun 20, 2024
GeorgeMac
approved these changes
Jun 20, 2024
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
Signed-off-by: Mark Phelps <209477+markphelps@users.noreply.github.com>
markphelps
added a commit
that referenced
this pull request
Jun 20, 2024
* 'main' of https://github.com/flipt-io/flipt: chore: Add views to Dagger (#3201) Update test.yml (#3200) feat(authz): add opa bundle support (#3194)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This adds the ability to use OPA bundles for loading in policies and data used to make authorization decisions
Currently, this PR adds the ability to pull a bundle from S3 (or Minio) via a similar configuration that we use for our AWS S3 Storage for declarative state
It also allows advanced users to configure the Bundle API in OPA using the full configuration if they wish: https://www.openpolicyagent.org/docs/latest/management-bundles/#bundle-service-api
In the future we want to add 'nice' configuration to support authorization sources such as:
OPA already has examples/docs on how to use the bundle API for the first 3, however Git will likely need to be a custom implementation.
This PR also moves around the configuration a bit for our existing
localauthz source support which continues to use the lower-level rego SDK.The plan is to extend the rego engine to also support pulling from Flipt Cloud API over HTTP, and likely to support Git as well since both of these methods will likely pull the 'raw' data and not a pre-packaged bundle like this new bundle engine does.
TODO
Add Integration TestsPITA, Im resorting to testing manually