(Go: >> BACK << -|- >> HOME <<)
SlideShare a Scribd company logo

OPA: The Cloud Native Policy Engine

T
Torin Sandall

This document discusses Open Policy Agent (OPA), an open source general-purpose policy engine. It provides examples of how OPA can be used to enforce various types of policies across complex environments in a flexible way. OPA treats policy decisions as separate from enforcement, stores policies and data in-memory, and uses partial evaluation and indexing to evaluate policies efficiently. It allows policies to be written declaratively using Rego and enforced for services, infrastructure, and other resources regardless of how they are implemented. The document demonstrates examples of using OPA for authorization, RBAC, and other policies across multiple domains.

1 of 60
Download to read offline
@sometorin @OpenPolicyAgent Open Policy Agent
@sometorin @OpenPolicyAgent Torin Sandall @sometorin ● Open Policy Agent co-founder and core contributor ● Istio and Kubernetes policy-related features ● ❤ good restaurants Copenhagen
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
@sometorin @OpenPolicyAgent Treat policy as a separate concern. ...just like DB, messaging, monitoring, logging, orchestration, CI/CD...
@sometorin @OpenPolicyAgent Gain better control and visibility over policy throughout your system.
@sometorin @OpenPolicyAgent Everyone is affected by policy...
@sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
@sometorin @OpenPolicyAgent Policy enforcement is a fundamental problem for your organization.
@sometorin @OpenPolicyAgent Tribal knowledge provides NO guarantee that policies are being enforced. "Tribal knowledge" is the know-how or collective wisdom of the organization.
@sometorin @OpenPolicyAgent It is expensive and painful to maintain policy decisions that are hardcoded into the app.
@sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) OPA is an open source, general-purpose policy engine. Policy Query Policy Decision
@sometorin @OpenPolicyAgent Decisions are decoupled from enforcement. Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement
@sometorin @OpenPolicyAgent OPA is a host-local cache for policy decisions. Node Service OPA Node Service OPA
@sometorin @OpenPolicyAgent Node Service OPA Node Service OPA Node Service Node Host Failures OPA Node Service Node Network Partitions OPA Network Network Fate Sharing ✔ Low latency ✔ High availability
@sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) Policy Query Policy Decision Policy and data are stored in-memory. No runtime dependencies during enforcement. Enforcement
@sometorin @OpenPolicyAgent
@sometorin @OpenPolicyAgent details service reviews service ratings service landing page service
@sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Input { "method": "GET", "path": ["reviews", "bob"], "user": "alice" }
@sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Demo Policy "Employees can see their own reviews and the reviews of their subordinates." "Employees can see their own PII. HR can also see PII."
@sometorin @OpenPolicyAgent Declarative Language (Rego) ● Is user X allowed to call operation Y on resource Z? ● Which annotations must be added to new Deployments? ● Which users can SSH into production machines?
@sometorin @OpenPolicyAgent "Employees may read their own reviews and the reviews of their subordinates."
@sometorin @OpenPolicyAgent "Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
@sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "bob" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "bob" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "Employees may read their own reviews [...]" "alice" instead of "bob"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
@sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read [...] the reviews of their subordinates." Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = data.manager_of[employee_id] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = data.manager_of["bob"] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "alice" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "alice" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
@sometorin @OpenPolicyAgent What about RBAC?
@sometorin @OpenPolicyAgent RBAC solves XX% of the problem.
@sometorin @OpenPolicyAgent RBAC is not enough. "QA must sign-off on images deployed to the production namespace." "Analysts can read client data but PII must be redacted." "Restrict employees from accessing the service outside of work hours." "Allow all HTTP requests from 10.1.2.0/24." "Restrict ELB changes to senior SREs that are on-call." "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU."
@sometorin @OpenPolicyAgent ...but everyone knows RBAC.
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation
@sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
@sometorin @OpenPolicyAgent Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Find bindings and roles that match input. This rule searches over the RBAC data. allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
@sometorin @OpenPolicyAgent Partial Evaluation: rules + data ⇒ simplified rules allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role } Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Partial Eval allow = true { input.user = "bob" input.resource = "/widgets" input.operation = "write" } allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" }
@sometorin @OpenPolicyAgent allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA builds an index from simplified rules. input.resource input.operation input.user ... ... "read" "write" "/widgets" "alice" "bob" input.resource Rule Indexing Rule Rule
@sometorin @OpenPolicyAgent OPA uses the index to quickly find applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource Query allow Input { "user": "alice", "resource": "/widgets", "operation": "read" }
@sometorin @OpenPolicyAgent OPA only evaluates applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA ignores these.
@sometorin @OpenPolicyAgent # Roles # Bindings Normal Eval (ms) With Partial Eval (ms) 250 250 5.50 0.0468 500 500 11.87 0.0591 1,000 1,000 21.64 0.0543 2,000 2,000 45.49 0.0624 blog.openpolicyagent.org Partial Evaluation https://goo.gl/X6Qu6u Rule Indexing https://goo.gl/uoSw3U
@sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
@sometorin @OpenPolicyAgent Use OPA to enforce policy across the stack.
@sometorin @OpenPolicyAgent It's all just data. deny { is_read_operation is_pii_topic not in_pii_consumer_whitelist } operation: Read resource: name: credit-scores resourceType: Topic session: principal: principalType: User name: CN=anon_producer,O=OPA clientAddress: 172.21.0.5 deny { not metadata.labels["qa-signoff"] metadata.namespace == "prod" spec.containers[_].privileged } metadata: name: nginx-149353-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true nodeName: minikube allow { input.method = "GET" input.path = ["salary", user] input.user = user } method: GET path: /salary/bob service.source: namespace: production service: landing_page service.target: namespace: production service: details user: alice allow { score = risk_budget count(plan_names["aws_iam"]) == 0 blast_radius < 500 } aws_autoscaling_group.lamb: availability_zones#: '1' availability_zones.3205: us-west-1a desired_capacity: '4' launch_configuration: kitten wait_for_capacity_timeout: 10m aws_instance.puppy: ami: ami-09b4b74c instance_type: t2.micro
@sometorin @OpenPolicyAgent ● Complex environment ○ >1,000 services ○ Many resource and identity types ○ Many protocols, languages, etc. ● Key requirements ○ Low latency ○ Flexible policies ○ Ability to capture intent ● Using OPA across the stack ○ HTTP and gRPC APIs ○ Kafka producers ○ SSH (coming soon) User Study: Netflix How Netflix is Solving Authorization Across Their Cloud (KubeCon US 2017)
@sometorin @OpenPolicyAgent orchestrator API ssh app host container dbcloud 20+ companies using OPA. Financial institutions, service providers, IT companies, software vendors, etc. Used across the stack. Microservices, orchestration, provisioning, host daemons, data layer, security groups, etc. Bring more use cases. RBAC, ABAC, admission control, data protection, risk management, rate liming, auditing, etc.
@sometorin @OpenPolicyAgent Demo
@sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
@sometorin @OpenPolicyAgent Try tutorials at openpolicyagent.org HTTP API Authorization Admission Control Risk Management SSH and sudoData Protection
@sometorin @OpenPolicyAgent Leverage OPA to solve fundamental policy and security problems.
@sometorin @OpenPolicyAgent Thank You! open-policy-agent/opa Star us on GitHub.

More Related Content

What's hot

Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
Torin Sandall
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
Torin Sandall
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
Rita Zhang
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
Juraj Hantak
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
VMware Tanzu
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
Torin Sandall
 
Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack Introduction
Vikram Shinde
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Torin Sandall
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
Iago López Galeiras
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
Araf Karsh Hamid
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
Jerry Jalava
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
Neependra Khare
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
Guy Marom
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
Nat Sakimura
 
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEANGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
Aine Long
 
Prometheus course
Prometheus coursePrometheus course
Prometheus course
Jorn Jambers
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
Jonathan Katz
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
Red Hat Developers
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
Amazon Web Services
 

What's hot (20)

Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
Opa gatekeeper
Opa gatekeeperOpa gatekeeper
Opa gatekeeper
 
CNCF opa
CNCF opaCNCF opa
CNCF opa
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy Agent
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their Cloud
 
Elastic Stack Introduction
Elastic Stack IntroductionElastic Stack Introduction
Elastic Stack Introduction
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
Istio's mixer policy enforcement with custom adapters (cloud nativecon 17)
 
Nomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweightsNomad + Flatcar: a harmonious marriage of lightweights
Nomad + Flatcar: a harmonious marriage of lightweights
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Kubernetes - Security Journey
Kubernetes - Security JourneyKubernetes - Security Journey
Kubernetes - Security Journey
 
User authentication and authorizarion in Kubernetes
User authentication and authorizarion in KubernetesUser authentication and authorizarion in Kubernetes
User authentication and authorizarion in Kubernetes
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Introduction to OpenID Connect
Introduction to OpenID Connect Introduction to OpenID Connect
Introduction to OpenID Connect
 
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEANGINX Kubernetes Ingress Controller: Getting Started – EMEA
NGINX Kubernetes Ingress Controller: Getting Started – EMEA
 
Prometheus course
Prometheus coursePrometheus course
Prometheus course
 
Operating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with KubernetesOperating PostgreSQL at Scale with Kubernetes
Operating PostgreSQL at Scale with Kubernetes
 
Secure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with KeycloakSecure Spring Boot Microservices with Keycloak
Secure Spring Boot Microservices with Keycloak
 
Introduction to GraphQL
Introduction to GraphQLIntroduction to GraphQL
Introduction to GraphQL
 

Similar to OPA: The Cloud Native Policy Engine

Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
Atlassian
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connections Developers
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
Ryan Baxter
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoAgile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Moldova ICT Summit
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
Pierre Vincent
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009
Chris Chabot
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
James Gallagher
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
colleenfry
 
OpenSocial Intro
OpenSocial IntroOpenSocial Intro
OpenSocial Intro
Pamela Fox
 
Back to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDBBack to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDB
MongoDB
 
Chaos Engineering Kubernetes
Chaos Engineering KubernetesChaos Engineering Kubernetes
Chaos Engineering Kubernetes
Alex Soto
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
Puppet
 
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence ArchitectureMongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
Valerii Moisieienko
 
Supercharging your Organic CTR
Supercharging your Organic CTRSupercharging your Organic CTR
Supercharging your Organic CTR
Phil Pearce
 
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
Thoughtworks
 
Documentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetariansDocumentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetarians
Mikstura.IT Foundation | Web & Mobile Community
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
MongoDB
 

Similar to OPA: The Cloud Native Policy Engine (20)

Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
 
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocialIBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
IBM Connect 2014 - JMP103: Extending Your Application Arsenal With OpenSocial
 
JMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocialJMP103 : Extending Your App Arsenal With OpenSocial
JMP103 : Extending Your App Arsenal With OpenSocial
 
Externalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services worldExternalizing Authorization in Micro Services world
Externalizing Authorization in Micro Services world
 
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External SystemJoget Workflow v5 Training Slides - Module 18 - Integrating with External System
Joget Workflow v5 Training Slides - Module 18 - Integrating with External System
 
Agile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai ShevchenkoAgile methodologies based on BDD and CI by Nikolai Shevchenko
Agile methodologies based on BDD and CI by Nikolai Shevchenko
 
[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice[Test bash manchester] contract testing in practice
[Test bash manchester] contract testing in practice
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009
 
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
IBM Connections Activity Stream 3rd Party Integration - Social Connect VI - P...
 
Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101Chatting with HIpChat: APIs 101
Chatting with HIpChat: APIs 101
 
OpenSocial Intro
OpenSocial IntroOpenSocial Intro
OpenSocial Intro
 
Back to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDBBack to Basics, webinar 2: La tua prima applicazione MongoDB
Back to Basics, webinar 2: La tua prima applicazione MongoDB
 
Chaos Engineering Kubernetes
Chaos Engineering KubernetesChaos Engineering Kubernetes
Chaos Engineering Kubernetes
 
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NYPuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
PuppetDB: A Single Source for Storing Your Puppet Data - PUG NY
 
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence ArchitectureMongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
MongoDB in the Middle of a Hybrid Cloud and Polyglot Persistence Architecture
 
Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)Can you keep a secret? (XP Days 2017)
Can you keep a secret? (XP Days 2017)
 
Supercharging your Organic CTR
Supercharging your Organic CTRSupercharging your Organic CTR
Supercharging your Organic CTR
 
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
The Enterprise Architecture you always wanted: A Billion Transactions Per Mon...
 
Documentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetariansDocumentation vs test about cucumber but not only for vegetarians
Documentation vs test about cucumber but not only for vegetarians
 
Evolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB StitchEvolving your Data Access with MongoDB Stitch
Evolving your Data Access with MongoDB Stitch
 

Recently uploaded

Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 
Verti - EMEA Insurer Innovation Award 2024
Verti - EMEA Insurer Innovation Award 2024Verti - EMEA Insurer Innovation Award 2024
Verti - EMEA Insurer Innovation Award 2024
The Digital Insurer
 
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
amitchopra0215
 
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Earley Information Science
 
5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx
SATYENDRA100
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
Linda Zhang
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
SynapseIndia
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
Aurora Consulting
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
Larry Smarr
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
Dr. Jimmy Schwarzkopf
 
AI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AIAI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AI
Raphaël Semeteys
 
The Rise of Supernetwork Data Intensive Computing
The Rise of Supernetwork Data Intensive ComputingThe Rise of Supernetwork Data Intensive Computing
The Rise of Supernetwork Data Intensive Computing
Larry Smarr
 
Performance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy EvertsPerformance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy Everts
ScyllaDB
 
Lessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien RiouxLessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien Rioux
crioux1
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
ishalveerrandhawa1
 
Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
Mark Billinghurst
 
AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)
apoorva2579
 
Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1
FellyciaHikmahwarani
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
BookNet Canada
 

Recently uploaded (20)

Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real worldImplementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling in real world
 
Verti - EMEA Insurer Innovation Award 2024
Verti - EMEA Insurer Innovation Award 2024Verti - EMEA Insurer Innovation Award 2024
Verti - EMEA Insurer Innovation Award 2024
 
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
@Call @Girls Pune 0000000000 Riya Khan Beautiful Girl any Time
 
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design ApproachesKnowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
Knowledge and Prompt Engineering Part 2 Focus on Prompt Design Approaches
 
5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx5G bootcamp Sep 2020 (NPI initiative).pptx
5G bootcamp Sep 2020 (NPI initiative).pptx
 
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & SolutionsMYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
MYIR Product Brochure - A Global Provider of Embedded SOMs & Solutions
 
How RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptxHow RPA Help in the Transportation and Logistics Industry.pptx
How RPA Help in the Transportation and Logistics Industry.pptx
 
Quality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of TimeQuality Patents: Patents That Stand the Test of Time
Quality Patents: Patents That Stand the Test of Time
 
The Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU CampusesThe Increasing Use of the National Research Platform by the CSU Campuses
The Increasing Use of the National Research Platform by the CSU Campuses
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
 
AI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AIAI_dev Europe 2024 - From OpenAI to Opensource AI
AI_dev Europe 2024 - From OpenAI to Opensource AI
 
The Rise of Supernetwork Data Intensive Computing
The Rise of Supernetwork Data Intensive ComputingThe Rise of Supernetwork Data Intensive Computing
The Rise of Supernetwork Data Intensive Computing
 
Performance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy EvertsPerformance Budgets for the Real World by Tammy Everts
Performance Budgets for the Real World by Tammy Everts
 
Lessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien RiouxLessons Of Binary Analysis - Christien Rioux
Lessons Of Binary Analysis - Christien Rioux
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
 
Calgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptxCalgary MuleSoft Meetup APM and IDP .pptx
Calgary MuleSoft Meetup APM and IDP .pptx
 
Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
 
AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)AC Atlassian Coimbatore Session Slides( 22/06/2024)
AC Atlassian Coimbatore Session Slides( 22/06/2024)
 
Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1Why do You Have to Redesign?_Redesign Challenge Day 1
Why do You Have to Redesign?_Redesign Challenge Day 1
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
 

OPA: The Cloud Native Policy Engine

  • 2. @sometorin @OpenPolicyAgent Torin Sandall @sometorin ● Open Policy Agent co-founder and core contributor ● Istio and Kubernetes policy-related features ● ❤ good restaurants Copenhagen
  • 5. @sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
  • 6. @sometorin @OpenPolicyAgent Treat policy as a separate concern. ...just like DB, messaging, monitoring, logging, orchestration, CI/CD...
  • 7. @sometorin @OpenPolicyAgent Gain better control and visibility over policy throughout your system.
  • 9. @sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
  • 10. @sometorin @OpenPolicyAgent Policy enforcement is a fundamental problem for your organization.
  • 11. @sometorin @OpenPolicyAgent Tribal knowledge provides NO guarantee that policies are being enforced. "Tribal knowledge" is the know-how or collective wisdom of the organization.
  • 12. @sometorin @OpenPolicyAgent It is expensive and painful to maintain policy decisions that are hardcoded into the app.
  • 13. @sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) OPA is an open source, general-purpose policy engine. Policy Query Policy Decision
  • 14. @sometorin @OpenPolicyAgent Decisions are decoupled from enforcement. Service OPA Policy (rego) Data (json) Policy Query Policy Decision Enforcement
  • 15. @sometorin @OpenPolicyAgent OPA is a host-local cache for policy decisions. Node Service OPA Node Service OPA
  • 16. @sometorin @OpenPolicyAgent Node Service OPA Node Service OPA Node Service Node Host Failures OPA Node Service Node Network Partitions OPA Network Network Fate Sharing ✔ Low latency ✔ High availability
  • 17. @sometorin @OpenPolicyAgent Service OPA Policy (rego) Data (json) Policy Query Policy Decision Policy and data are stored in-memory. No runtime dependencies during enforcement. Enforcement
  • 19. @sometorin @OpenPolicyAgent details service reviews service ratings service landing page service
  • 21. @sometorin @OpenPolicyAgent Demo: Authorization landingpage ratings details reviews Demo Policy "Employees can see their own reviews and the reviews of their subordinates." "Employees can see their own PII. HR can also see PII."
  • 22. @sometorin @OpenPolicyAgent Declarative Language (Rego) ● Is user X allowed to call operation Y on resource Z? ● Which annotations must be added to new Deployments? ● Which users can SSH into production machines?
  • 23. @sometorin @OpenPolicyAgent "Employees may read their own reviews and the reviews of their subordinates."
  • 24. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]"
  • 25. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
  • 26. @sometorin @OpenPolicyAgent "Employees may read their own reviews [...]" allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"}
  • 27. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "bob" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
  • 28. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "bob" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "bob"} "Employees may read their own reviews [...]"
  • 29. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "Employees may read their own reviews [...]" "alice" instead of "bob"
  • 30. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read their own reviews [...]" Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
  • 31. @sometorin @OpenPolicyAgent allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK "alice" = "bob" # FAIL } "Employees may read [...] the reviews of their subordinates." Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} "alice" instead of "bob"
  • 32. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 33. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = data.manager_of[employee_id] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 34. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = data.manager_of["bob"] } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 35. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" input.path = ["reviews", "bob"] input.user = "alice" } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 36. @sometorin @OpenPolicyAgent "Employees may read [...] the reviews of their subordinates." allow = true { input.method = "GET" input.path = ["reviews", employee_id] input.user = employee_id } allow = true { input.method = "GET" # OK input.path = ["reviews", "bob"] # OK input.user = "alice" # OK } Input {"method": "GET", "path": ["reviews", "bob"], "user": "alice"} Data (in-memory) {"manager_of": { "bob": "alice", "alice": "janet"}}
  • 39. @sometorin @OpenPolicyAgent RBAC is not enough. "QA must sign-off on images deployed to the production namespace." "Analysts can read client data but PII must be redacted." "Restrict employees from accessing the service outside of work hours." "Allow all HTTP requests from 10.1.2.0/24." "Restrict ELB changes to senior SREs that are on-call." "Give developers SSH access to machines listed in JIRA tickets assigned to them." "Prevent developers from running containers with privileged security contexts in the production namespace." "Workloads for euro-bank must be deployed on PCI-certified clusters in the EU."
  • 41. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer
  • 42. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user
  • 43. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation
  • 44. @sometorin @OpenPolicyAgent Implement RBAC with OPA. Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
  • 45. @sometorin @OpenPolicyAgent Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Find bindings and roles that match input. This rule searches over the RBAC data. allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role }
  • 46. @sometorin @OpenPolicyAgent Partial Evaluation: rules + data ⇒ simplified rules allow = true { # Find binding(s) for user. binding := data.bindings[_] input.user = binding.user # Find role(s) with permission. role := data.roles[_] input.resource = role.resource input.operation = role.operation # Check if binding matches role. role.name = binding.role } Data (in-memory) bindings: - user: inspector-alice role: widget-reader - user: maker-bob role: widget-writer roles: - operation: read resource: widgets name: widget-reader - operation: write resource: widgets name: widget-writer Partial Eval allow = true { input.user = "bob" input.resource = "/widgets" input.operation = "write" } allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" }
  • 47. @sometorin @OpenPolicyAgent allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA builds an index from simplified rules. input.resource input.operation input.user ... ... "read" "write" "/widgets" "alice" "bob" input.resource Rule Indexing Rule Rule
  • 48. @sometorin @OpenPolicyAgent OPA uses the index to quickly find applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource Query allow Input { "user": "alice", "resource": "/widgets", "operation": "read" }
  • 49. @sometorin @OpenPolicyAgent OPA only evaluates applicable rules. input.resource input.operation input.user Rule ... ... Rule "read" "write" "/widgets" "alice" "bob" input.resource allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } allow = true { ... } # Many rules (100s, 1000s) allow = true { input.user = "alice" input.resource = "/widgets" input.operation = "read" } OPA ignores these.
  • 50. @sometorin @OpenPolicyAgent # Roles # Bindings Normal Eval (ms) With Partial Eval (ms) 250 250 5.50 0.0468 500 500 11.87 0.0591 1,000 1,000 21.64 0.0543 2,000 2,000 45.49 0.0624 blog.openpolicyagent.org Partial Evaluation https://goo.gl/X6Qu6u Rule Indexing https://goo.gl/uoSw3U
  • 51. @sometorin @OpenPolicyAgent "QA must sign-off on images deployed to the production namespace." "Restrict ELB changes to senior SREs that are on-call." "Analysts can read client data but PII must be redacted." "Give developers SSH access to machines listed in JIRA tickets assigned to them."
  • 52. @sometorin @OpenPolicyAgent Use OPA to enforce policy across the stack.
  • 53. @sometorin @OpenPolicyAgent It's all just data. deny { is_read_operation is_pii_topic not in_pii_consumer_whitelist } operation: Read resource: name: credit-scores resourceType: Topic session: principal: principalType: User name: CN=anon_producer,O=OPA clientAddress: 172.21.0.5 deny { not metadata.labels["qa-signoff"] metadata.namespace == "prod" spec.containers[_].privileged } metadata: name: nginx-149353-bvl8q namespace: production spec: containers: - image: nginx name: nginx securityContext: privileged: true nodeName: minikube allow { input.method = "GET" input.path = ["salary", user] input.user = user } method: GET path: /salary/bob service.source: namespace: production service: landing_page service.target: namespace: production service: details user: alice allow { score = risk_budget count(plan_names["aws_iam"]) == 0 blast_radius < 500 } aws_autoscaling_group.lamb: availability_zones#: '1' availability_zones.3205: us-west-1a desired_capacity: '4' launch_configuration: kitten wait_for_capacity_timeout: 10m aws_instance.puppy: ami: ami-09b4b74c instance_type: t2.micro
  • 54. @sometorin @OpenPolicyAgent ● Complex environment ○ >1,000 services ○ Many resource and identity types ○ Many protocols, languages, etc. ● Key requirements ○ Low latency ○ Flexible policies ○ Ability to capture intent ● Using OPA across the stack ○ HTTP and gRPC APIs ○ Kafka producers ○ SSH (coming soon) User Study: Netflix How Netflix is Solving Authorization Across Their Cloud (KubeCon US 2017)
  • 55. @sometorin @OpenPolicyAgent orchestrator API ssh app host container dbcloud 20+ companies using OPA. Financial institutions, service providers, IT companies, software vendors, etc. Used across the stack. Microservices, orchestration, provisioning, host daemons, data layer, security groups, etc. Bring more use cases. RBAC, ABAC, admission control, data protection, risk management, rate liming, auditing, etc.
  • 57. @sometorin @OpenPolicyAgent Policy decisions should be decoupled from policy enforcement.
  • 58. @sometorin @OpenPolicyAgent Try tutorials at openpolicyagent.org HTTP API Authorization Admission Control Risk Management SSH and sudoData Protection
  • 59. @sometorin @OpenPolicyAgent Leverage OPA to solve fundamental policy and security problems.