OPA : Introduction to OPA

 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 OPA :  https://www.youtube.com/watch?v=Vdy26oA3py8

 

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 How OPA works ? 


Alice is the customer support rep and she has access to all the service such as (payments / Accounts / Promotions / Notification ) etc . And if she get access to all the system that is not all right . If she decides to bring down all the services she can do which can lead to failure of service. Also if she wants to look up where Bob lives she can do that and find out all his personally identifiable information again this is not Ideal. So what we want to do is put some guard rails into the system to prevent these kinds of things from happening . 

In order to get alice do all her job and yet does not hamper the security of the system we are going to put but she cannot do anything that is harmful to the system . In order to do that we need to go all of these different components the services and basically implement authorization. We will write code to check if alice is allowed to do this thing or not that she is asking to do.

So you might decide to write a code to do so , you will go to the payment service which is written in Python . And go to the account services that is written in Java. The problem with that it raises a number of questions. the problem with that is 

  1. What happens when the policy changes
  2.  What happens when InfoSec & compliance and legal department comes along and say now you will have to check the geographical region that Alice is connecting from or you want to check the device that she is connecting on. or you need to do something based on the current time and day -- Something like she shouldn't be looking into  Bob's account outside of work hours . So how do you handle changes to that kind of policy.  

    3. What if Bob's wants to some kind of control over the permission that is granted to someone over his data . How do you delegate the policy to your end users . How do you roll out changes when they get updated. How do you leverage external contacts . How do you pull in data from an external data source like a ticketing system or a Pager duty.

How do you test if your policies are actually implemented correctly ?  

If you have hundreds of services written in hundreds of languages with all kinds of different protocols running in containers and VMs , Bare Metal , server less and whatever

OPA as we call is a policy engine - what it means is that you can take over and you can use it to implement unified policy enforcement across wide range of technology . So the goal of the policy it to unify policy enforcement in any service in any system and in any level of the stack



 We have all these companies using OPA , for variety of use cases.



 

 

 

 

 

 

 

 

 

 

 

How does OPA actually works ? How do we achieve all these ? 

 


 

 

 

 

 

 

 

 

 

 

 

 

 At the core of the OPA it has this idea that Policy decision making should be decoupled from policy enforcement . So if we were going to build the account service we will have to implement an API that allows people to view user account information so if you want to get the information on user Bob you would do get /account/bob

and then you provide your credentials , when the request comes to account service the account service needs to make a decision whether or not to allow that request so when you are using OPA you are off loading that decision making to OPA, to a dedicated engine , So the way it works is that the account service will execute a query and in that query we will have a bunch of attributes .

It is going to supply the method , the path and the authenticated user that is making the request and now OPA is going to take those attributes and going to evaluate them with the policy and the data that it has access to in order to produce a decision like "allow" or not - here we represent is True or False

And that decisions gets send back to the service for a response so that the service and enforce it. , who is going to be allowed , who is that can continue to process request normally , who is that I need to reject a request .


This is what OPA is helping you to do. 

Let me remind you that the service can be any different components or a part of a stack

  1. It could be a container orchestra-tor like Kubernetes .
  2. It could be a API Gateway like Kong
  3. It could be Islio ,envoy
  4. It can be Linux PAM at the host level protecting ssh and sudo access on the machine. 
  5. or it could be like a message broker or a database or something like that .

 


These are examples of projects and services that we have integration with today . That's why call it general purpose , in order to have that we made some design decisions that we made during the project .

One of the fundamental decision that we made is that the attributes that you provide to OPA can be arbitrary JSON data, so you can provide any  JSON value to OPA when you execute a policy query.











 

So in a simple authorization case you might generate : allow or not that represents True or False . But in the admission control use case you might generate like a complex structured object like it represents admission webhook response .

Obviously the policy needs to implement a meaning to the attributes that are coming to it that it needs to know it is a Pod spec for deployment , or an API or attributes representing an API request

And similarly the service needs to know how to interpret the result , such as True maps to "allow" , False maps to "Deny" .

But own its own OPA doesn't really care . JSON coming in , JSON being evaluated and JSON going back . 










 

 

 

 

Here is I have written OPA's policy language . 


The above policy code is written in Rego . which is a purpose built declarative language for answering the kind of questions that want to answer all the time.

In this case we have defined two rules to define the policy . One rule allows customers to access their own accounts

Second rule allows support to access the customer accounts who they are assisting .

 

I have got some data its called JSON data .


The data.json has the tickets assigned to specific users

Bob has two open tickets. One is assigned to alise and the other to Karen . janet has one open ticket that is assigned to karen. This is mapping of users to open tickets

In this case karen can access her own account and the accounts of bob and Janet. But alice can only access her account and Bobs accounts .

What I am going to show is a program written in go and  how it can be integrated into a library .


When you are embedding OPA as a library what you are doing is that you are interacting with this rego package . Rego is the package that it exposes . Rego as a languafe is a High level API to evaluate its policies


What this program is going to do is that it is going to load the bundle off disk . It is going to instantiate OPA's compiler and storage layer , these are like data structure that are going to be used for evaluation process. Then it is going to decode the input that is provided via stdin .  And then it is going to construct this Rego object that gets used for evaluation

When you construct the rego Object you pass in things like the compiler and then the store and then the input and you also provide the query that you want to run in this case asking for the value of "allow" and we are binding it to a variable called "allowed"

 

And then run evaluation and then you interpret the results. In this case if there were no results if the policy decison was undefined it will just "bail out" -- it will say there is an error. Thats because we have set the  default value of allow as false/


if there is some other values coming from one of these . it should sent back false. And there no values coming back there must be an error like "500"

So if this is True - you interpret it as allow. And it this is false you interpret this as False .

One of the things that you come up with most of the times is that you can come up with two rules or more . you can even end up with tens of hundreds of rules . Some of those rules can be really complicated . You don't want to be manually querying the policy to understand whether it is correct. So what you have in OPA for check if your policies are correct is a unit testing framework .

So you can actually write unit test for your policies and this is  what they look like 


You create a two test cases here, A positive test and a negative test .

You can go further and tell what parts of policies are hit by this tests.

New Feature & Use Cases :

What we need to talk here is some of the new use cases and features that we have been working on OPA.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Credits to the author of this your tube video  : 

https://www.youtube.com/watch?v=qz3yks-BWbw

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 


 














it is more like a if-else statement , if this is true do it or else don't do it. 











OPA takes JSON : kind of data and JSON kind of value . 












General Purpose : It does not have to be dependend on any kind of stack. OPA , take JSON kind of value and returns JSON kind of value . 

Unifies Policy : OPA can be integrated with every stack that we have right now. You can have it with service written in Java, Python and many others. You can have it on containers or kubernetes . You can unify all the stack by placing one OPA server placed , you can easily unify all these policies at one place .

Decouple policy decision making / Policy enforcement

Before OPA , the policy enforcement and policy decision making was done by the service itself. now the service does not have to bother about the decision making . You just have to query OPA and OPA will make all the decision makings.

OPA uses a simple declarative language which makes it so powerful . REGO is purpose build for OPA.

policy as a Code











You can have OPA integrated to your CI/CD Pipelines : How OPA can enforce policies to CI/CD pipeline.

It can provide policies on who could run your pipelines. who could run your jobs , when can a job be run

Kubernetes Use Case : Here OPA can act as an admission controller , basically it could check your pods from running or stop your pods from running .

Say if I have not set the specify request for my resources my pods can get evicted or should not be scheduled . these kinds of fine grained policies you can apply it on Kubernetes.

Microservices : How you can authorize a particular user to perform a task. or query a particular API using OPA.

Docker : You can think of having a policy where you do not want images from untrusted repositories . or an image should be scanned or a container should not run in privileged modes.

Terraform : When you automate a terraform implementation the problem is unintentionally deleting or modification your infrastructure which is a very bad thing to do . Lets say he is changing IAM policies you should stop him from doing that .

Database Side : If an API is requesting some data out of the database . The OPA will help you filter out those datas














How to run OPA ?

The first and the simple way to run OPA is to use OPA eval , you create the policies and you run OPA eval on your terminal . This is basically used when you are in development stage and you want to use more frequently when you are designing in your policy files.























he has made a small policy .

before we get into the creating a policy we have data . Data is also a very important part of Rego . Data is the value that your provide to OPA

data is about authorizing user who has permissions to work with it.

The we need to move into the policy . This is how OPA gets to

Before writing the policy we must know what kind of input data is going to come.











before writing the policy you must know what kind of input data you are going to get . And the JSON structure for you will not know transverse without knowing the structure of JSON.

Lets check the input data . 
























We are importing the data file. 

Import data.user. Lets say we want to import a particular user , we can import it once and us it my saying import users , next time I will not have to call data.users if you want to use a specific user.

By default all the request will send false, by default every request will send a request false . So in case of there were no input we are not going allow it to use the rule.



Comments

Post a Comment

Popular posts from this blog

IP Cutover

Image
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IP Cutover is needed when the Base machine is CentOS-6 and the VM is CentOS-7 Lets consider this server running in CentOS 6 ,and now the application team is asking to cut-over , they will come to us for the cut over when we have the new and the old server ready . netutils02-eq This IP is reachable from our work station. We will need to disable the IP address in this server and enable the IP address in another server new server . We need to shutdown the interface first . $ /sbin/ifdown ens192 Before that we need to go to checkMK and make sure this server is configured for downtime . The two servers will have different IP addresses though they might be running in the same network. once the interface is down we will not be able to ping this IP address from our workstation.  Once after checking the checkMK if the server CentOS is ...
Read more

FIRST-SUCCESSFUL SCRIPT -- NEEDED EDITION -- FIRST SUCCESSFUL ONE

#!/bin/bash # Server Tested : compute90-cc : 8.25.218.59 10.170.16.186 : compute90-cc.packet8-pilot.net #####   --  Author of Script  - Sreejith Balakrishnan    #####       Purpose : 1. This script capture failed logins for root users whoever fails to connect successfully in their first 5 attempts  #####                 2. And only if those 5 failed attempts happens within 15 min timeline -- In such cases logs are generated #set -x ###----------------- ##### Declarations : ###----------------- #####   --  Put in the number of Failed Login Attempts you want to capture attempted_counts=5 #####   --  Time in minutes within which the count of login attempts to be captured seconds=900 ###------------------------ ##### End of Declations : ###------------------------ root_login(){ #rm -Rf /tmp/logins_1.log #rm -Rf /tmp/logins_2.log #rm -Rf /tmp/logins_11.log #rm -Rf...
Read more