Add Authz Matchers API proposal #421
Conversation
periklis
force-pushed
the
authz-matchers-api-proposal
branch
7 times, most recently
from
915da43
to
d98c0c5
Compare
|
|
||
| ## Why | ||
|
|
||
| OPA authorizers are the single source of through to check if a given subject (e.g. identified by a bearer token) has access to a requested resource (e.g. read/write on metrics and/or logs). Querying either the in-process via rego or any REST OPA authorizer relays this task from the observatorium-api to a separate isolated component. In addition an OPA authorizer can relay the request further to a third-party system (e.g. RedHat AMS, OpenShift/Kubernetes API server). Upon successful authorization the OPA authorizer can request further information (e.g. list of sub-resources the subject has access) and pass it back to the observatorium api. Such further information can be used to further refine the read endpoints (e.g. return logs for kubernetes namespaces the subject has access to). |
There was a problem hiding this comment.
Here you are describing the "what" or "how". This section should be about "why we need something like this" independently of the implementation.
docs/proposals/drafts/20210709-opa-authorizer-labels-observatorium-api.md
Outdated
Show resolved
Hide resolved
periklis
force-pushed
the
authz-matchers-api-proposal
branch
from
d98c0c5
to
cbf0d50
Compare
periklis
force-pushed
the
authz-matchers-api-proposal
branch
from
cbf0d50
to
b23b8fb
Compare
| { | ||
| "result": true|false, | ||
| "matchers": [ | ||
| { | ||
| "name": "label key", | ||
| "type": "MatchEqual|MatchNotEqual|MatchRegex|MatchNotReqex", | ||
| "value": "label value" | ||
| } | ||
| ] | ||
| } |
There was a problem hiding this comment.
For cross-tenant use case, we would need to enforce different matchers depending on the tenant.
For example, Kafka people want to access CPU usage metric from OSD for their clusters, so we need to enforce {customer="kafka"} only for OSD metrics accessed by someone from Kafka. A query like
kafka_price_per_cpu * cpu_usage_total{tenant="osd"}
needs to be converted to
kafka_price_per_cpu{tenant="kafka"} * cpu_usage_total{tenant="osd", customer="kafka"}.
I propose to change this payload to something like
| { | |
| "result": true|false, | |
| "matchers": [ | |
| { | |
| "name": "label key", | |
| "type": "MatchEqual|MatchNotEqual|MatchRegex|MatchNotReqex", | |
| "value": "label value" | |
| } | |
| ] | |
| } | |
| { | |
| "result": true|false, | |
| "matchers": { | |
| "tenant-a": [ | |
| { | |
| "name": "label key", | |
| "type": "MatchEqual|MatchNotEqual|MatchRegex|MatchNotReqex", | |
| "value": "label value" | |
| } | |
| ], | |
| "tenant-b": [] | |
| } | |
| } |
There was a problem hiding this comment.
Changing this payload right now is not required but we have to do this for cross-tenant queries in the future.
There was a problem hiding this comment.
Alright let's do this in a separate step. This doesn't hurt if we change this later.
The following design proposal provide an extension for the observatorium api to OPA authorizers. In particular this extension addresses the issue to refine queries to read endpoints with label matchers provided by the OPA authorizer. It is inspired by the work on tenant isolation. Although it goes one step further to handle dynamic label matchers provided by domain specific OPA authorizers in form of PromQL's
labels.Matcher(See prometheus/pkg/labels/matcher.go).