Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Open Policy Agent Deep Dive Seattle 2018

1.168 visualizaciones

Publicado el

Topics:

* Background on Open Policy Agent project: users, use cases, and stats.
* How OPA works (decoupling policy decision-making from enforcement)
* Hands-on example: Users can view their own account details and support staff can view accounts they have are assigned to via a ticketing system.
* SQL data filtering use case: writing policy in OPA and enforcing policy in SQL.
* WebAssembly compiler.

Publicado en: Tecnología
  • FREE TRAINING: "How to Earn a 6-Figure Side-Income Online" ...  https://bit.ly/2kS5a5J
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • Legitimate jobs paying $40/h Tap into the booming online job, industry and start working now! ▲▲▲ https://tinyurl.com/y4urott2
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

Open Policy Agent Deep Dive Seattle 2018

  1. 1. Open Policy Agent Deep Dive @ KubeCon Seattle 2018
  2. 2. openpolicyagent.org who am I? ● Engineer @ Styra ● Co-founder of Open Policy Agent ● @sometorin ● Based in SF ● Happy to see some rain 💧 ○ Originally from Vancouver 🇨🇦
  3. 3. openpolicyagent.org Example: pets.com accountspayments promotions notifications SQL portal S3 SNS bob (customer) alice (support) pets.com backend
  4. 4. openpolicyagent.org Example: pets.com accountspayments promotions notifications SQL portal S3 SNS bob (customer) alice (support)alice (support) pets.com backend
  5. 5. openpolicyagent.org Example: pets.com accountspayments promotions notifications SQL portal S3 SNS "Support staff can view customer data if they are assigned to an open ticket for that customer."
  6. 6. openpolicyagent.org Example: pets.com accountspayments promotions notifications SQL portal S3 SNS "Support staff can view customer data if they are assigned to an open ticket for that customer." authz authz authz authz authzauthz authz authz
  7. 7. openpolicyagent.org Example: pets.com accountspayments promotions notifications SQL portal S3 SNS "Support staff can view customer data if they are assigned to an open ticket for that customer." authz authz authz authz authzauthz authz ● How do you enforce new policies from infosec, compliance, or legal? ● How do you delegate control to your end-users? ● How do you roll-out policy changes? ● How do you leverage context, e.g., HR DB? ● How do you render UIs based on policy? ● How do you test your policies for correctness? ● What about 100+ services written in Java, Ruby, ... authz
  8. 8. OPA: General-purpose policy engine Inception Project started in 2016 at Styra. Goal Unify policy enforcement across the stack. Use Cases Admission control Authorization ACLs RBAC IAM ABAC Risk management Data Protection Data Filtering Users Netflix Chef Medallia Cloudflare State Street Pinterest Intuit Capital One ...and many more. Today CNCF project (Sandbox) 36 contributors 400 slack members 1.6K stars 20+ integrations
  9. 9. How does OPA work?
  10. 10. openpolicyagent.org OPA: General-purpose policy engine Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query
  11. 11. openpolicyagent.org OPA: General-purpose policy engine Accounts Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query GET /accounts/bob HTTP/1.1 Authorization: alice
  12. 12. openpolicyagent.org OPA: General-purpose policy engine Accounts Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query GET /accounts/bob HTTP/1.1 Authorization: alice { method: "GET", path: ["accounts", "bob"], user: "alice" } true or false
  13. 13. openpolicyagent.org OPA: General-purpose policy engine Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query Linux PAM
  14. 14. openpolicyagent.org OPA: General-purpose policy engine Service OPA Policy (Rego) Data (JSON) Request Policy Decision Policy Query Linux PAM Input can be ANY JSON value. Output can be ANY JSON value.
  15. 15. Hands on! Example Policy 1. Users can view their own accounts. 2. Support can view accounts if they are assigned to an open ticket on that account.
  16. 16. New features & use cases
  17. 17. OPA & Data Filtering
  18. 18. openpolicyagent.org Example Scenario Petdetails GET /pets Authorization: bob SELECT * FROM pets DB name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12
  19. 19. openpolicyagent.org Example Scenario Petdetails GET /pets Authorization: bob SELECT * FROM pets DB name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12 Example policy: "Veterinarians are allowed see details of pets they are treating."
  20. 20. openpolicyagent.org Example Scenario Petdetails GET /pets Authorization: bob SELECT * FROM pets WHERE pets.veterinarian = "bob" DB name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12 Example policy: "Veterinarians are allowed see details of pets they are treating."
  21. 21. openpolicyagent.org Example Scenario Petdetails GET /pets Authorization: bob SELECT * FROM pets WHERE pets.veterinarian = "bob" DB name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12 Example policy: "Veterinarians are allowed see details of pets they are treating." Logic to construct WHERE clause is hardcoded into the service.
  22. 22. openpolicyagent.org Example Scenario Petdetails GET /pets Authorization: bob SELECT * FROM pets WHERE pets.veterinarian = "bob" AND pets.clinic = "main st" DB name owner age Fluffy Bob 7 Muffin Alice 3 King Janet 12 Example policy: "Veterinarians are allowed see details of pets they are treating." Policy (Rego)
  23. 23. Demo
  24. 24. openpolicyagent.org Partial Evaluation & SQL Translation Petdetails OPA conditions (SQL predicate) DB GET /pets Authorization: bob SELECT * FROM pets WHERE pets.owner = "bob" policy query Policy (rego) true or false blog.openpolicyagent.org "Write Policy in OPA. Enforce Policy in SQL."
  25. 25. OPA & WebAssembly
  26. 26. openpolicyagent.org ● Binary instruction format for virtual machines ○ Safe, efficient, open ● Compilation target for C, C++, Rust, Go, ... ● Supported by Chrome, Safari, Firefox, and IE ● Non-web embeddings ○ IoT ○ Desktop/mobile ○ Servers ○ Blockchain! What is WebAssembly (Wasm)?
  27. 27. openpolicyagent.org What does Wasm have to do with OPA? ● Library integrations are simpler ○ Less overhead (performance) ○ Less operational complexity (security, monitoring) ● Some platforms are more likely to embed Wasm runtimes than OPA ○ Cloudflare announced support for Wasm workers earlier this year ○ Envoy considering including a Wasm runtime ● How do you enforce policies in serverless and edge computing environments?
  28. 28. Demo
  29. 29. openpolicyagent.org Thank You! open-policy-agent/opa slack.openpolicyagent.org Contributing? Say hello! Or see low-hanging-fruit and help-wanted issues. tsandall/kubecon-seattle-2018

×