New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Authz Matchers API proposal #421
Add Authz Matchers API proposal #421
Conversation
915da43
to
d98c0c5
Compare
|
||
## Why | ||
|
||
OPA authorizers are the single source of through to check if a given subject (e.g. identified by a bearer token) has access to a requested resource (e.g. read/write on metrics and/or logs). Querying either the in-process via rego or any REST OPA authorizer relays this task from the observatorium-api to a separate isolated component. In addition an OPA authorizer can relay the request further to a third-party system (e.g. RedHat AMS, OpenShift/Kubernetes API server). Upon successful authorization the OPA authorizer can request further information (e.g. list of sub-resources the subject has access) and pass it back to the observatorium api. Such further information can be used to further refine the read endpoints (e.g. return logs for kubernetes namespaces the subject has access to). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here you are describing the "what" or "how". This section should be about "why we need something like this" independently of the implementation.
docs/proposals/drafts/20210709-opa-authorizer-labels-observatorium-api.md
Outdated
Show resolved
Hide resolved
d98c0c5
to
cbf0d50
Compare
cbf0d50
to
b23b8fb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me! Just a comment about the cross-tenancy use case.
{ | ||
"result": true|false, | ||
"matchers": [ | ||
{ | ||
"name": "label key", | ||
"type": "MatchEqual|MatchNotEqual|MatchRegex|MatchNotReqex", | ||
"value": "label value" | ||
} | ||
] | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For cross-tenant use case, we would need to enforce different matchers depending on the tenant.
For example, Kafka people want to access CPU usage metric from OSD for their clusters, so we need to enforce {customer="kafka"}
only for OSD metrics accessed by someone from Kafka. A query like
kafka_price_per_cpu * cpu_usage_total{tenant="osd"}
needs to be converted to
kafka_price_per_cpu{tenant="kafka"} * cpu_usage_total{tenant="osd", customer="kafka"}
.
I propose to change this payload to something like
{ | |
"result": true|false, | |
"matchers": [ | |
{ | |
"name": "label key", | |
"type": "MatchEqual|MatchNotEqual|MatchRegex|MatchNotReqex", | |
"value": "label value" | |
} | |
] | |
} | |
{ | |
"result": true|false, | |
"matchers": { | |
"tenant-a": [ | |
{ | |
"name": "label key", | |
"type": "MatchEqual|MatchNotEqual|MatchRegex|MatchNotReqex", | |
"value": "label value" | |
} | |
], | |
"tenant-b": [] | |
} | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changing this payload right now is not required but we have to do this for cross-tenant queries in the future.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright let's do this in a separate step. This doesn't hurt if we change this later.
The following design proposal provide an extension for the observatorium api to OPA authorizers. In particular this extension addresses the issue to refine queries to read endpoints with label matchers provided by the OPA authorizer. It is inspired by the work on tenant isolation. Although it goes one step further to handle dynamic label matchers provided by domain specific OPA authorizers in form of PromQL's
labels.Matcher
(See prometheus/pkg/labels/matcher.go).