SlideShare a Scribd company logo
1 of 60
Download to read offline
@sometorin @OpenPolicyAgent
Open Policy Agent
@sometorin @OpenPolicyAgent
Torin Sandall
@sometorin
● Open Policy Agent co-founder and core contributor
● Istio and Kubernetes policy-related features
● ❤ good restaurants Copenhagen
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent
Policy decisions should be decoupled
from policy enforcement.
@sometorin @OpenPolicyAgent
Treat policy as a separate concern.
...just like DB, messaging, monitoring,
logging, orchestration, CI/CD...
@sometorin @OpenPolicyAgent
Gain better control and visibility over
policy throughout your system.
@sometorin @OpenPolicyAgent
Everyone is affected by policy...
@sometorin @OpenPolicyAgent
"QA must sign-off on
images deployed to the
production namespace."
"Restrict ELB changes to
senior SREs that are on-call."
"Analysts can read client data
but PII must be redacted."
"Give developers SSH access to
machines listed in JIRA tickets
assigned to them."
@sometorin @OpenPolicyAgent
Policy enforcement is a fundamental
problem for your organization.
@sometorin @OpenPolicyAgent
Tribal knowledge provides NO guarantee
that policies are being enforced.
"Tribal knowledge" is the know-how or collective wisdom of the organization.
@sometorin @OpenPolicyAgent
It is expensive and painful to maintain
policy decisions that are hardcoded into
the app.
@sometorin @OpenPolicyAgent
Service
OPA
Policy
(rego)
Data
(json)
OPA is an open source,
general-purpose policy
engine.
Policy
Query
Policy
Decision
@sometorin @OpenPolicyAgent
Decisions are decoupled
from enforcement.
Service
OPA
Policy
(rego)
Data
(json)
Policy
Query
Policy
Decision
Enforcement
@sometorin @OpenPolicyAgent
OPA is a host-local cache
for policy decisions.
Node
Service
OPA
Node
Service
OPA
@sometorin @OpenPolicyAgent
Node
Service
OPA
Node
Service
OPA
Node
Service
Node
Host Failures
OPA
Node
Service
Node
Network Partitions OPA
Network
Network
Fate Sharing
✔ Low latency
✔ High availability
@sometorin @OpenPolicyAgent
Service
OPA
Policy
(rego)
Data
(json)
Policy
Query
Policy
Decision
Policy and data are
stored in-memory.
No runtime dependencies
during enforcement.
Enforcement
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent
details service
reviews service
ratings service
landing page service
@sometorin @OpenPolicyAgent
Demo: Authorization
landingpage
ratings
details
reviews
Input
{
"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"
}
@sometorin @OpenPolicyAgent
Demo: Authorization
landingpage
ratings
details
reviews
Demo Policy
"Employees can see their own reviews and the
reviews of their subordinates."
"Employees can see their own PII. HR can
also see PII."
@sometorin @OpenPolicyAgent
Declarative Language (Rego)
● Is user X allowed to call operation Y on resource Z?
● Which annotations must be added to new Deployments?
● Which users can SSH into production machines?
@sometorin @OpenPolicyAgent
"Employees may read their own reviews and the reviews of
their subordinates."
@sometorin @OpenPolicyAgent
"Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent
"Employees may read their own reviews [...]"
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "bob"}
@sometorin @OpenPolicyAgent
"Employees may read their own reviews [...]"
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "bob"}
@sometorin @OpenPolicyAgent
allow = true {
input.method = "GET"
input.path = ["reviews", "bob"]
input.user = "bob"
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "bob"}
"Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent
allow = true {
input.method = "GET" # OK
input.path = ["reviews", "bob"] # OK
input.user = "bob" # OK
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "bob"}
"Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
"Employees may read their own reviews [...]"
"alice" instead of "bob"
@sometorin @OpenPolicyAgent
allow = true {
input.method = "GET" # OK
input.path = ["reviews", "bob"] # OK
"alice" = "bob" # FAIL
}
"Employees may read their own reviews [...]"
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
"alice" instead of "bob"
@sometorin @OpenPolicyAgent
allow = true {
input.method = "GET" # OK
input.path = ["reviews", "bob"] # OK
"alice" = "bob" # FAIL
}
"Employees may read [...] the reviews of their subordinates."
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
"alice" instead of "bob"
@sometorin @OpenPolicyAgent
"Employees may read [...] the reviews of their subordinates."
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
Data (in-memory)
{"manager_of": {
"bob": "alice",
"alice": "janet"}}
@sometorin @OpenPolicyAgent
"Employees may read [...] the reviews of their subordinates."
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = data.manager_of[employee_id]
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
Data (in-memory)
{"manager_of": {
"bob": "alice",
"alice": "janet"}}
@sometorin @OpenPolicyAgent
"Employees may read [...] the reviews of their subordinates."
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["reviews", "bob"]
input.user = data.manager_of["bob"]
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
Data (in-memory)
{"manager_of": {
"bob": "alice",
"alice": "janet"}}
@sometorin @OpenPolicyAgent
"Employees may read [...] the reviews of their subordinates."
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET"
input.path = ["reviews", "bob"]
input.user = "alice"
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
Data (in-memory)
{"manager_of": {
"bob": "alice",
"alice": "janet"}}
@sometorin @OpenPolicyAgent
"Employees may read [...] the reviews of their subordinates."
allow = true {
input.method = "GET"
input.path = ["reviews", employee_id]
input.user = employee_id
}
allow = true {
input.method = "GET" # OK
input.path = ["reviews", "bob"] # OK
input.user = "alice" # OK
}
Input
{"method": "GET",
"path": ["reviews", "bob"],
"user": "alice"}
Data (in-memory)
{"manager_of": {
"bob": "alice",
"alice": "janet"}}
@sometorin @OpenPolicyAgent
What about RBAC?
@sometorin @OpenPolicyAgent
RBAC solves XX% of the problem.
@sometorin @OpenPolicyAgent
RBAC is not enough.
"QA must sign-off on images
deployed to the production
namespace."
"Analysts can read client data but
PII must be redacted."
"Restrict employees from accessing
the service outside of work hours."
"Allow all HTTP requests
from 10.1.2.0/24."
"Restrict ELB changes to senior
SREs that are on-call."
"Give developers SSH access to machines
listed in JIRA tickets assigned to them."
"Prevent developers from running
containers with privileged security
contexts in the production
namespace." "Workloads for euro-bank must be
deployed on PCI-certified clusters in
the EU."
@sometorin @OpenPolicyAgent
...but everyone knows RBAC.
@sometorin @OpenPolicyAgent
Implement RBAC with OPA.
Data (in-memory)
bindings:
- user: inspector-alice
role: widget-reader
- user: maker-bob
role: widget-writer
roles:
- operation: read
resource: widgets
name: widget-reader
- operation: write
resource: widgets
name: widget-writer
@sometorin @OpenPolicyAgent
Implement RBAC with OPA.
Data (in-memory)
bindings:
- user: inspector-alice
role: widget-reader
- user: maker-bob
role: widget-writer
roles:
- operation: read
resource: widgets
name: widget-reader
- operation: write
resource: widgets
name: widget-writer
allow = true {
# Find binding(s) for user.
binding := data.bindings[_]
input.user = binding.user
@sometorin @OpenPolicyAgent
Implement RBAC with OPA.
Data (in-memory)
bindings:
- user: inspector-alice
role: widget-reader
- user: maker-bob
role: widget-writer
roles:
- operation: read
resource: widgets
name: widget-reader
- operation: write
resource: widgets
name: widget-writer
allow = true {
# Find binding(s) for user.
binding := data.bindings[_]
input.user = binding.user
# Find role(s) with permission.
role := data.roles[_]
input.resource = role.resource
input.operation = role.operation
@sometorin @OpenPolicyAgent
Implement RBAC with OPA.
Data (in-memory)
bindings:
- user: inspector-alice
role: widget-reader
- user: maker-bob
role: widget-writer
roles:
- operation: read
resource: widgets
name: widget-reader
- operation: write
resource: widgets
name: widget-writer
allow = true {
# Find binding(s) for user.
binding := data.bindings[_]
input.user = binding.user
# Find role(s) with permission.
role := data.roles[_]
input.resource = role.resource
input.operation = role.operation
# Check if binding matches role.
role.name = binding.role
}
@sometorin @OpenPolicyAgent
Data (in-memory)
bindings:
- user: inspector-alice
role: widget-reader
- user: maker-bob
role: widget-writer
roles:
- operation: read
resource: widgets
name: widget-reader
- operation: write
resource: widgets
name: widget-writer
Find bindings and
roles that match
input.
This rule searches over the RBAC data.
allow = true {
# Find binding(s) for user.
binding := data.bindings[_]
input.user = binding.user
# Find role(s) with permission.
role := data.roles[_]
input.resource = role.resource
input.operation = role.operation
# Check if binding matches role.
role.name = binding.role
}
@sometorin @OpenPolicyAgent
Partial Evaluation: rules + data ⇒ simplified rules
allow = true {
# Find binding(s) for user.
binding := data.bindings[_]
input.user = binding.user
# Find role(s) with permission.
role := data.roles[_]
input.resource = role.resource
input.operation = role.operation
# Check if binding matches role.
role.name = binding.role
}
Data (in-memory)
bindings:
- user: inspector-alice
role: widget-reader
- user: maker-bob
role: widget-writer
roles:
- operation: read
resource: widgets
name: widget-reader
- operation: write
resource: widgets
name: widget-writer
Partial Eval
allow = true {
input.user = "bob"
input.resource = "/widgets"
input.operation = "write"
}
allow = true {
input.user = "alice"
input.resource = "/widgets"
input.operation = "read"
}
@sometorin @OpenPolicyAgent
allow = true { ... }
allow = true { ... }
allow = true { ... }
allow = true { ... }
allow = true { ... }
# Many rules (100s, 1000s)
allow = true {
input.user = "alice"
input.resource = "/widgets"
input.operation = "read"
}
OPA builds an index from simplified rules.
input.resource
input.operation
input.user
... ...
"read" "write"
"/widgets"
"alice" "bob"
input.resource
Rule Indexing
Rule Rule
@sometorin @OpenPolicyAgent
OPA uses the index to quickly find applicable rules.
input.resource
input.operation
input.user
Rule
... ...
Rule
"read" "write"
"/widgets"
"alice" "bob"
input.resource
Query
allow
Input
{
"user": "alice",
"resource": "/widgets",
"operation": "read"
}
@sometorin @OpenPolicyAgent
OPA only evaluates applicable rules.
input.resource
input.operation
input.user
Rule
... ...
Rule
"read" "write"
"/widgets"
"alice" "bob"
input.resource
allow = true { ... }
allow = true { ... }
allow = true { ... }
allow = true { ... }
allow = true { ... }
# Many rules (100s, 1000s)
allow = true {
input.user = "alice"
input.resource = "/widgets"
input.operation = "read"
}
OPA ignores these.
@sometorin @OpenPolicyAgent
# Roles # Bindings Normal Eval (ms) With Partial Eval (ms)
250 250 5.50 0.0468
500 500 11.87 0.0591
1,000 1,000 21.64 0.0543
2,000 2,000 45.49 0.0624
blog.openpolicyagent.org
Partial Evaluation https://goo.gl/X6Qu6u
Rule Indexing https://goo.gl/uoSw3U
@sometorin @OpenPolicyAgent
"QA must sign-off on
images deployed to the
production namespace."
"Restrict ELB changes to
senior SREs that are on-call."
"Analysts can read client data
but PII must be redacted."
"Give developers SSH access to
machines listed in JIRA tickets
assigned to them."
@sometorin @OpenPolicyAgent
Use OPA to enforce
policy across the stack.
@sometorin @OpenPolicyAgent
It's all just data. deny {
is_read_operation
is_pii_topic
not in_pii_consumer_whitelist
}
operation: Read
resource:
name: credit-scores
resourceType: Topic
session:
principal:
principalType: User
name: CN=anon_producer,O=OPA
clientAddress: 172.21.0.5
deny {
not metadata.labels["qa-signoff"]
metadata.namespace == "prod"
spec.containers[_].privileged
}
metadata:
name: nginx-149353-bvl8q
namespace: production
spec:
containers:
- image: nginx
name: nginx
securityContext:
privileged: true
nodeName: minikube
allow {
input.method = "GET"
input.path = ["salary", user]
input.user = user
}
method: GET
path: /salary/bob
service.source:
namespace: production
service: landing_page
service.target:
namespace: production
service: details
user: alice
allow {
score = risk_budget
count(plan_names["aws_iam"]) == 0
blast_radius < 500
}
aws_autoscaling_group.lamb:
availability_zones#: '1'
availability_zones.3205: us-west-1a
desired_capacity: '4'
launch_configuration: kitten
wait_for_capacity_timeout: 10m
aws_instance.puppy:
ami: ami-09b4b74c
instance_type: t2.micro
@sometorin @OpenPolicyAgent
● Complex environment
○ >1,000 services
○ Many resource and identity types
○ Many protocols, languages, etc.
● Key requirements
○ Low latency
○ Flexible policies
○ Ability to capture intent
● Using OPA across the stack
○ HTTP and gRPC APIs
○ Kafka producers
○ SSH (coming soon)
User Study: Netflix
How Netflix is Solving Authorization Across Their Cloud
(KubeCon US 2017)
@sometorin @OpenPolicyAgent
orchestrator
API
ssh
app
host
container
dbcloud
20+ companies using OPA. Financial institutions,
service providers, IT companies, software vendors, etc.
Used across the stack. Microservices, orchestration,
provisioning, host daemons, data layer, security groups, etc.
Bring more use cases. RBAC, ABAC, admission
control, data protection, risk management, rate liming, auditing, etc.
@sometorin @OpenPolicyAgent
Demo
@sometorin @OpenPolicyAgent
Policy decisions should be decoupled
from policy enforcement.
@sometorin @OpenPolicyAgent
Try tutorials at openpolicyagent.org
HTTP API Authorization Admission Control Risk Management
SSH and sudoData Protection
@sometorin @OpenPolicyAgent
Leverage OPA to solve fundamental
policy and security problems.
@sometorin @OpenPolicyAgent
Thank You!
open-policy-agent/opa
Star us on GitHub.

More Related Content

What's hot

Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeperRita Zhang
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)Michael Man
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfLibbySchulze
 
JSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebJSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebGregg Kellogg
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!SebastienSEYMARC
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect Nat Sakimura
 
Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018
Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018
Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018Amazon Web Services
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityRyan Dawson
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveMichal Rostecki
 
Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...
Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...
Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...HostedbyConfluent
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoOpsta
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - IntroductionKnoldus Inc.
 

What's hot (20)

Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPA
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdfCNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
 
JSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social WebJSON-LD: JSON for the Social Web
JSON-LD: JSON for the Social Web
 
Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!Admission controllers - PSP, OPA, Kyverno and more!
Admission controllers - PSP, OPA, Kyverno and more!
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018
Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018
Running Kubernetes Across Multiple AWS Accounts (CON409) - AWS re:Invent 2018
 
Identity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibilityIdentity management and single sign on - how much flexibility
Identity management and single sign on - how much flexibility
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Kubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep DiveKubernetes Networking with Cilium - Deep Dive
Kubernetes Networking with Cilium - Deep Dive
 
Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...
Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...
Securing the Message Bus with Kafka Streams | Paul Otto and Ryan Salcido, Raf...
 
Kubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with DemoKubernetes Secrets Management on Production with Demo
Kubernetes Secrets Management on Production with Demo
 
OAuth2 - Introduction
OAuth2 - IntroductionOAuth2 - Introduction
OAuth2 - Introduction
 

Similar to OPA Policy Engine for Decoupling Policy Decisions

Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleAtlassian
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialRyan Baxter
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connections Developers
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldSitaraman Lakshminarayanan
 
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoAgile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoMoldova ICT Summit
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practicePierre Vincent
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009Chris Chabot
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...James Gallagher
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101colleenfry
 
OpenSocial Intro
OpenSocial IntroOpenSocial Intro
OpenSocial IntroPamela Fox
 
Back to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDBBack to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDBMongoDB
 
Chaos Engineering Kubernetes
Chaos Engineering KubernetesChaos Engineering Kubernetes
Chaos Engineering KubernetesAlex Soto
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppet
 
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence ArchitectureMongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence ArchitectureMongoDB
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Valerii Moisieienko
 
Supercharging your Organic CTR
Supercharging your Organic CTRSupercharging your Organic CTR
Supercharging your Organic CTRPhil Pearce
 
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...Thoughtworks
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchMongoDB
 

Similar to OPA Policy Engine for Decoupling Policy Decisions (20)

Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoAgile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai Shevchenko
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
 
OpenSocial Intro
OpenSocial IntroOpenSocial Intro
OpenSocial Intro
 
Back to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDBBack to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDB
 
Chaos Engineering Kubernetes
Chaos Engineering KubernetesChaos Engineering Kubernetes
Chaos Engineering Kubernetes
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
 
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence ArchitectureMongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Supercharging your Organic CTR
Supercharging your Organic CTRSupercharging your Organic CTR
Supercharging your Organic CTR
 
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
 
Documentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetariansDocumentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetarians
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
 

Recently uploaded

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Karmanjay Verma
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 

Recently uploaded (20)

Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#Microservices, Docker deploy and Microservices source code in C#
Microservices, Docker deploy and Microservices source code in C#
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 

OPA Policy Engine for Decoupling Policy Decisions

  • 2. @sometorin @OpenPolicyAgent Torin Sandall @sometorin ● Open Policy Agent co-founder and core contributor ● Istio and Kubernetes policy-related features ● ❤ good restaurants Copenhagen
  • 5. @sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
  • 6. @sometorin @OpenPolicyAgent Treat policy as a separate concern. ...just like DB, messaging, monitoring, logging, orchestration, CI/CD...
  • 7. @sometorin @OpenPolicyAgent Gain better control and visibility over policy throughout your system.
  • 9. @sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
  • 10. @sometorin @OpenPolicyAgent Policy enforcement is a fundamental problem for your organization.
  • 11. @sometorin @OpenPolicyAgent Tribal knowledge provides NO guarantee that policies are being enforced. "Tribal knowledge" is the know-how or collective wisdom of the organization.
  • 12. @sometorin @OpenPolicyAgent It is expensive and painful to maintain policy decisions that are hardcoded into the app.
  • 13. @sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) OPA is an open source, general-purpose policy engine. Policy Query Policy Decision
  • 14. @sometorin @OpenPolicyAgent Decisions are decoupled from enforcement. Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement
  • 15. @sometorin @OpenPolicyAgent OPA is a host-local cache for policy decisions. Node Service OPA Node Service OPA
  • 16. @sometorin @OpenPolicyAgent Node Service OPA Node Service OPA Node Service Node Host Failures OPA Node Service Node Network Partitions OPA Network Network Fate Sharing ✔ Low latency ✔ High availability
  • 17. @sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) Policy Query Policy Decision Policy and data are stored in-memory. No runtime dependencies during enforcement. Enforcement
  • 19. @sometorin @OpenPolicyAgent details service reviews service ratings service landing page service
  • 21. @sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Demo Policy "Employees can see their own reviews and the reviews of their subordinates." "Employees can see their own PII. HR can also see PII."
  • 22. @sometorin @OpenPolicyAgent Declarative Language (Rego) ● Is user X allowed to call operation Y on resource Z? ● Which annotations must be added to new Deployments? ● Which users can SSH into production machines?
  • 23. @sometorin @OpenPolicyAgent "Employees may read their own reviews and the reviews of their subordinates."
  • 24. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]"
  • 25. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
  • 26. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
  • 27. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "bob" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
  • 28. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "bob" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
  • 29. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "Employees may read their own reviews [...]" "alice" instead of "bob"
  • 30. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
  • 31. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read [...] the reviews of their subordinates." Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
  • 32. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 33. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = data.manager_of[employee_id] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 34. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = data.manager_of["bob"] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 35. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "alice" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 36. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "alice" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 39. @sometorin @OpenPolicyAgent RBAC is not enough. "QA must sign-off on images deployed to the production namespace." "Analysts can read client data but PII must be redacted." "Restrict employees from accessing the service outside of work hours." "Allow all HTTP requests from 10.1.2.0/24." "Restrict ELB changes to senior SREs that are on-call." "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU."
  • 41. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer
  • 42. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user
  • 43. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation
  • 44. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
  • 45. @sometorin @OpenPolicyAgent Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Find bindings and roles that match input. This rule searches over the RBAC data. allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
  • 46. @sometorin @OpenPolicyAgent Partial Evaluation: rules + data ⇒ simplified rules allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role } Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Partial Eval allow = true { input.user = "bob" input.resource = "/widgets" input.operation = "write" } allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" }
  • 47. @sometorin @OpenPolicyAgent allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA builds an index from simplified rules. input.resource input.operation input.user ... ... "read" "write" "/widgets" "alice" "bob" input.resource Rule Indexing Rule Rule
  • 48. @sometorin @OpenPolicyAgent OPA uses the index to quickly find applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource Query allow Input { "user": "alice", "resource": "/widgets", "operation": "read" }
  • 49. @sometorin @OpenPolicyAgent OPA only evaluates applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA ignores these.
  • 50. @sometorin @OpenPolicyAgent # Roles # Bindings Normal Eval (ms) With Partial Eval (ms) 250 250 5.50 0.0468 500 500 11.87 0.0591 1,000 1,000 21.64 0.0543 2,000 2,000 45.49 0.0624 blog.openpolicyagent.org Partial Evaluation https://goo.gl/X6Qu6u Rule Indexing https://goo.gl/uoSw3U
  • 51. @sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
  • 52. @sometorin @OpenPolicyAgent Use OPA to enforce policy across the stack.
  • 53. @sometorin @OpenPolicyAgent It's all just data. deny { is_read_operation is_pii_topic not in_pii_consumer_whitelist } operation: Read resource: name: credit-scores resourceType: Topic session: principal: principalType: User name: CN=anon_producer,O=OPA clientAddress: 172.21.0.5 deny { not metadata.labels["qa-signoff"] metadata.namespace == "prod" spec.containers[_].privileged } metadata: name: nginx-149353-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true nodeName: minikube allow { input.method = "GET" input.path = ["salary", user] input.user = user } method: GET path: /salary/bob service.source: namespace: production service: landing_page service.target: namespace: production service: details user: alice allow { score = risk_budget count(plan_names["aws_iam"]) == 0 blast_radius < 500 } aws_autoscaling_group.lamb: availability_zones#: '1' availability_zones.3205: us-west-1a desired_capacity: '4' launch_configuration: kitten wait_for_capacity_timeout: 10m aws_instance.puppy: ami: ami-09b4b74c instance_type: t2.micro
  • 54. @sometorin @OpenPolicyAgent ● Complex environment ○ >1,000 services ○ Many resource and identity types ○ Many protocols, languages, etc. ● Key requirements ○ Low latency ○ Flexible policies ○ Ability to capture intent ● Using OPA across the stack ○ HTTP and gRPC APIs ○ Kafka producers ○ SSH (coming soon) User Study: Netflix How Netflix is Solving Authorization Across Their Cloud (KubeCon US 2017)
  • 55. @sometorin @OpenPolicyAgent orchestrator API ssh app host container dbcloud 20+ companies using OPA. Financial institutions, service providers, IT companies, software vendors, etc. Used across the stack. Microservices, orchestration, provisioning, host daemons, data layer, security groups, etc. Bring more use cases. RBAC, ABAC, admission control, data protection, risk management, rate liming, auditing, etc.
  • 57. @sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
  • 58. @sometorin @OpenPolicyAgent Try tutorials at openpolicyagent.org HTTP API Authorization Admission Control Risk Management SSH and sudoData Protection
  • 59. @sometorin @OpenPolicyAgent Leverage OPA to solve fundamental policy and security problems.