Add OPA policy for SPIRE API authorization (#2416)

* server: Add registration policy backed by config * Implement OPA auth for general authorization of APIs * Change custom policy to experimental * Fix test err msg to lowercase * Add link to api sdk for reference Co-authored-by: R. Tyler Julian <tjulian@uber.com> Signed-off-by: Brandon Lum <lumjjb@gmail.com> Signed-off-by: R. Tyler Julian <tjulian@uber.com>
spiffe · Sep 2, 2021 · d994844 · d994844
1 parent f7f9f80
commit d994844
Show file tree

Hide file tree

Showing 34 changed files with 2,442 additions and 963 deletions.
diff --git a/cmd/spire-server/cli/run/run.go b/cmd/spire-server/cli/run/run.go
@@ -30,6 +30,7 @@ import (
 	"github.com/spiffe/spire/pkg/common/telemetry"
 	"github.com/spiffe/spire/pkg/common/util"
 	"github.com/spiffe/spire/pkg/server"
+	"github.com/spiffe/spire/pkg/server/authpolicy"
 	bundleClient "github.com/spiffe/spire/pkg/server/bundle/client"
 	"github.com/spiffe/spire/pkg/server/ca"
 	"github.com/spiffe/spire/pkg/server/endpoints/bundle"
@@ -105,6 +106,8 @@ type experimentalConfig struct {
 	CacheReloadInterval string `hcl:"cache_reload_interval"`
 
 	UnusedKeys []string `hcl:",unusedKeys"`
+
+	AuthOpaPolicyEngine *authpolicy.OpaEngineConfig `hcl:"auth_opa_policy_engine"`
 }
 
 type caSubjectConfig struct {
@@ -589,6 +592,8 @@ func NewServerConfig(c *Config, logOptions []log.Option, allowUnknownConfig bool
 		sc.CacheReloadInterval = interval
 	}
 
+	sc.AuthOpaPolicyEngineConfig = c.Server.Experimental.AuthOpaPolicyEngine
+
 	return sc, nil
 }
 

diff --git a/conf/server/server_full.conf b/conf/server/server_full.conf
@@ -131,6 +131,20 @@ server {
     #     # cache_reload_interval: The amount of time between two reloads of
     #     # the in-memory entry cache. Default: 5s.
     #     cache_reload_interval = "5s"
+    #
+    #     # auth_opa_policy_engine: The auth OPA policy engine used for authorization
+    #     # decision.
+    #     # For more details, refer to doc/authorization_policy_engine.md
+    #     auth_opa_policy_engine {
+    #         # Indicates that OPA provided through local files be used to
+    #         # instantiate the auth policy engine
+    #         local {
+    #             # Path to the rego file
+    #             rego_path = "./conf/server/policy.rego"
+    #             # Path to the policy data bindings (JSON data file)
+    #             policy_data_path = "./conf/server/policy_data.json"
+    #         }
+    #     }
     # }
 }