SlideShare una empresa de Scribd logo

Rego Deep Dive

T
Torin Sandall

This document provides an introduction and overview of Open Policy Agent (OPA). It discusses how OPA can be used to add fine-grained policy controls to other projects. Key points include: - OPA allows integrating policy decisions from a project into OPA and offloading policy logic. Policies can be authored in OPA and decisions retrieved. - Policies are invoked by sending decision requests to OPA APIs. The input is JSON and the response is also JSON. - Simple policies involve looking up values, comparing values, assigning variables, and creating rules with heads and bodies. Rules with the same head are OR'd together. - Policies can handle arrays and iteration by using an

Tecnología
1 de 73
Descargar para leer sin conexión
Open Policy Agent Language Introduction
openpolicyagent.org OPA: Add fine-grained policy to other projects OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Placement & Admission Control
openpolicyagent.org Use OPA to policy-enable your project Integrate Offload policy decisions from your project to OPA Author Write OPA policies that make decisions Manage Deploy OPA, retrieve policy, audit decisions, monitor health 1 2 3
Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Any/All ○ Non-boolean Decisions
How Policies are Invoked ● Overview ● Example: ○ HTTP API Authorization
openpolicyagent.org How Policies are Invoked DataLogic
openpolicyagent.org How Policies are Invoked DataLogic POST v1/data/<policy-name> {“input”: <JSON>} 1. Decision Request Any JSON value: ● "alice" ● ["api", "v1", "cars"] ● {"headers": {...}}
openpolicyagent.org How Policies are Invoked DataLogic 200 OK {“result”: <JSON>} 1. Decision Request 2. Decision Response Any JSON value: ● true, false ● "bob" ● {"servers": ["server-001", …]} POST v1/data/<policy-name> {“input”: <JSON>} Any JSON value: ● "alice" ● ["api", "v1", "cars"] ● {"headers": {...}}
openpolicyagent.org How Policies are Invoked DataLogic 200 OK {“result”: <JSON>} Input is JSON. Policy decision is JSON. 1. Decision Request 2. Decision Response POST v1/data/<policy-name> {“input”: <JSON>} Any JSON value: ● true, false ● "bob" ● {"servers": ["server-001", …]} Any JSON value: ● "alice" ● ["api", "v1", "cars"] ● {"headers": {...}}
openpolicyagent.org Example: HTTP API Authorization DataLogic
openpolicyagent.org Example: HTTP API Authorization DataLogic 1. Example Request to OPA POST v1/data/http/authz/allow {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} 1
openpolicyagent.org Example: HTTP API Authorization DataLogic 1. Example Request to OPA 2. Example Policy in OPA POST v1/data/http/authz/allow {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} package http.authz allow { input.user == “bob” } 1 2
openpolicyagent.org Example: HTTP API Authorization DataLogic 1. Example Request to OPA 2. Example Policy in OPA 3. Example Response from OPA POST v1/data/http/authz/allow {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} package http.authz allow { input.user == “bob” } {“result”: true} 1 2 3
Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Non-boolean Decisions
Simple Policies ● Lookup values ● Compare values ● Assign values ● Create rules ● Create functions ● Use context (data)
openpolicyagent.org Lookup and Compare Values { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input input.method input.path[0] Lookup values.
openpolicyagent.org Lookup and Compare Values { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input input.method == “GET” input.path[0] == “finance” input.user != input.method Lookup values. Compare values.
openpolicyagent.org Lookup and Compare Values { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input input.method == “GET” input.path[0] == “finance” input.user != input.method startswith(input.path[1], “sal”) count(input.path) > 2 Lookup values. Compare values. See 50+ operators documented at openpolicyagent.org/docs/language-reference.html
openpolicyagent.org path := input.path path[2] == "alice" Assign Values to Variables { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input Assign variables. Use variables like input.
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow = true { input.method == "GET" input.user == "bob" }
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow = true { input.method == "GET" input.user == "bob" } Rule Head
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow = true { input.method == "GET" input.user == "bob" } Rule Head Name allow Value true
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Head Name allow Value true
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Body
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Body Multiple statements in rule body are ANDed together.
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Body Multiple statements in rule body are ANDed together. allow is true IF input.method equals "GET" AND input.user equals "bob"
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Multiple rules with same name. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }
openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Multiple rules with same name. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }Rule Head Multiple statements with same head are ORed together.
openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Rules can be undefined. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }
openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Rules can be undefined. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } Different method. "POST" instead of "GET"
openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Rules can be undefined. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } Different method. "POST" instead of "GET" Neither rule matches. allow is undefined (not false!)
openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Use default keyword. default allow = false allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }
openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Use default keyword. default allow = false allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } default <name> = <value> If no rules match default value is returned.
openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Use default keyword. default allow = false allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } default <name> = <value> If no rules match default value is returned. at most one default per rule set
openpolicyagent.org Create Functions Input { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Path is a string now.
openpolicyagent.org Create Functions Input { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Example rule default allow = false allow { trimmed := trim(input.path, "/") path := split(trimmed, "/") path = ["finance", "salary", user] input.user == user } Path is a string now.
openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Example rule default allow = false allow { trimmed := trim(input.path, "/") path := split(trimmed, "/") path = ["finance", "salary", user] input.user == user } Path is a string now. Avoid duplicating common logic like string manipulation
openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Put common logic into functions default allow = false allow { path := split_path(input.path) path = ["finance", "salary", user] input.user == user } split_path(str) = parts { trimmed := trim(str, "/") parts := split(trimmed, "/") } Path is a string now. Avoid duplicating common logic like string manipulation
openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Functions are Rules with arguments. read_method(str) = true { str == "GET" } read_method(str) = true { str == "HEAD" }
openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Functions are Rules with arguments. read_method(str) = true { str == "GET" } read_method(str) = true { str == "HEAD" } "Function" Head Multiple statements with same head are ORed together.
openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Functions are Rules with arguments. read_method(str) { str == "GET" } read_method(str) { str == "HEAD" } "Function" Head Multiple statements with same head are ORed together.
openpolicyagent.org Policies can use Context from Outside World PUT v1/data/<path> HTTP/1.1 Content-Type: application/json <JSON> Load Context/Data Into OPA DataLogic
openpolicyagent.org { "users": { "alice": {"department": "legal"}, "bob": {"department": "hr"}, "janet": {"department": "r&d"} } } { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Policies Use Context Data (context) Policy allow { # Users can access their own salary input.user == input.path[2] } allow { # HR can access any salary user := data.users[input.user] user.department == "hr" } Input
openpolicyagent.org Summary Lookup values input.path[1] Compare values "bob" == input.user Assign values user := input.user Rules <head> { <body> } Rule Head <name> = <value> { … } or <name> { … } Rule Body <statement-1>; <statement-2>; … (ANDed) Multiple Rules with same name <rule-1> OR <rule-2> OR ... Default Rule Value default <name> = <value> Functions Rules with arguments Context Reference with data. instead of input.
Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Any/All ○ Non-boolean Decisions
Policies With Iteration ● Iteration ● Virtual documents ● Virtual documents vs Functions
openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is at element 0 allow { input.resource == data.resources[0].id input.user == data.resources[0].owner } What about Arrays? Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data
openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is at element 0 allow { input.resource == data.resources[0].id input.user == data.resources[0].owner } # OR if resource is at element 1 allow { input.resource == data.resources[1].id input.user == data.resources[1].owner } What about Arrays? Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data
openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is at element 0 allow { input.resource == data.resources[0].id input.user == data.resources[0].owner } # OR if resource is at element 1 allow { input.resource == data.resources[1].id input.user == data.resources[1].owner } ... What about Arrays? Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data Problem: Unknown number of elements. Cannot write allow for every index.
openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is anywhere in array allow { input.resource == data.resources[index].id input.user == data.resources[index].owner } Iterate over Arrays Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data
openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is anywhere in array allow { input.resource == data.resources[index].id input.user == data.resources[index].owner } Iterate over Arrays Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data Solution: ● allow is true if SOME value for index makes the rule body true. ● OPA automatically iterates over values for index. ● allow is true for index = 0
openpolicyagent.org Iterate over Everything Iterate over arrays/dictionaries (whether input or data) # Iterate over array indexes/values resource_obj := data.resources[index] # Iterate over dictionary key/values user_obj := data.users[name] # Doesn’t matter whether input or data value := input[key] # Use _ to ignore variable name # Iterate over just the array values resource_obj := data.resources[_] { "method": "GET", "path": ["resources", "54cf10"], "user": "bob" } Input { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ], "users": { "alice": {"admin": false}, "bob": {"admin": true}, "charlie": {"admin": true}, } } Data
openpolicyagent.org Duplicated Logic Happens with Iteration too { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data allow { user := data.users[_] user.admin == true user.name == input.user input.method == “GET” } allow { user := data.users[_] user.admin == true user.name == input.user input.method == “POST” } Duplicated logic with iteration
openpolicyagent.org Duplicated Logic Happens with Iteration too { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data allow { user := data.users[_] user.admin == true user.name == input.user input.method == “GET” } allow { user := data.users[_] user.admin == true user.name == input.user input.method == “POST” } Duplicated logic with iteration Avoid duplicating common logic like a search for admins
openpolicyagent.org Create a Virtual Document { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data allow { admin[input.user] input.method == “GET” } allow { admin[input.user] input.method == “POST” } admin[user.name] { user := data.users[_] user.admin == true } Duplicated logic with iteration admin is a set that contains all of the admin names Sets are an extension of JSON. admin == { "bob", "charlie" }
openpolicyagent.org Different Syntaxes for Virtual Sets { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } admin[user.name] { user := data.users[_] user.admin == true } Data Rule Syntax admin = {user.name | user := data.users[_] user.admin == true } Set Comprehension Syntax
openpolicyagent.org Different Syntaxes for Virtual Sets { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } admin[user.name] { user := data.users[_] user.admin == true } Data Rule Syntax admin = {user.name | user := data.users[_] user.admin == true } Set Comprehension Syntax Supports OR with multiple rules. No support for OR.
openpolicyagent.org Create Virtual Dictionaries too { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data admin[user.name] = user.dept { user := data.users[_] user.admin == true } Rule Syntax admin = {user.name: user.dept | user := data.users[_] user.admin == true } Dictionary Comprehension Syntax
openpolicyagent.org Virtual Docs support iteration. Functions don’t. admin[user_name] = user.dept { user := data.users[_] user.admin == true user.name == user_name } admin(user_name) = user.dept { user := data.users[_] user.admin == true user.name == user_name } Dictionary Function # lookup bob’s department admin[“bob”] # iterate over all user/dept pairs admin[user] = department # iterate over everyone in HR admin[user] == “hr” # lookup bob’s department admin(“bob”) # iterate over all user/dept pairs Can’t. Write different function. # iterate over everyone in HR Can’t.
openpolicyagent.org Virtual Documents must be finite. Functions don’t. Can’t express split_path. Virtual docs must be “safe”. Safety means the set of all input/output pairs is finite. split_path takes any string as input. There are infinitely strings. split_path(str) = parts { trimmed := trim(str, "/") parts := split(trimmed, "/") } Virtual Doc Function
Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Any/All ○ Non-boolean Decisions
openpolicyagent.org People can Create Multiple Policies and Delegate package http.service_graph allow { input.source == “frontend” input.destination == “finance” } ... Service graph policy package http.org_chart allow { admin[user.input] } ... Organization chart policy package http.authz import data.http.service_graph import data.http.org_chart allow { org_chart.allow service_graph.allow } Entry point policy
openpolicyagent.org Policies can use Negation package http.service_graph deny { input.source == “frontend” input.destination == “finance” } ... Service graph policy package http.org_chart allow { admin[user.input] } Organization chart policy package http.authz import data.http.service_graph import data.http.org_chart allow { org_chart.allow not service_graph.deny not deny } deny { ... } Entry point policy
openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. Wrong ans: all_admins = true { data.users[user_name].admin == true }
openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. Wrong ans: all_admins = true { data.users[user_name].admin == true } Problem: all_admins is true if ANY users are admins.
openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. all_admins = true { not any_non_admins } any_non_admins = true { user := data.users[user_name] not user.admin } Solution: 1. Check if any users are NOT admins 2. Complement (1)
openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. all_admins = true { not any_non_admins } any_non_admins = true { user := data.users[user_name] not user.admin } Solution: 1. Check if any users are NOT admins 2. Complement (1)
openpolicyagent.org allow/deny are NOT special. Decisions are JSON DataLogic POST v1/data/http/authz/admin {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} 2. Example Policy 1. Example Request 3. Example Response {“result”: [“bob”, “charlie”]} package http.authz import data.http.service_graph import data.http.org_chart admin[x] { org_chart.admin[x] } admin[x] { service_graph.admin[x] } Sets defined with multiple rules are unioned together. Policy decision can be any JSON data: boolean, number, string, null, array, or dictionary. Sets are serialized to JSON arrays.
openpolicyagent.org Thank You! github.com/open-policy-agent/opa slack.openpolicyagent.org
openpolicyagent.org Policy Example with Join
openpolicyagent.org Policies Iterate to Search for Data { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} }, “orgs”: { “00”: {“name”: “HR”}, “11”: {“name”: “Legal”}, “22”: {“name”: “Research”}, “33”: {“name”: “IT”}, “44”: {“name”: “Accounting”}, } } Data Search for the data you need user_obj user_name org_name {"admin": true, ...} bob Research {"admin": true, ...} charlie IT # Find admin users and their organization user_obj := data.users[user_name]; user_obj.admin == true; org_name := data.orgs[user_obj.org_code].name Variable assignments that satisfy search criteria
openpolicyagent.org Policies Give Names to Search Results Data Name the search results admins[[org_name, user_name]] { user_obj := data.users[user_name] user_obj.admin == true org_name := data.orgs[user_obj.org_code].name } { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} }, “orgs”: { “00”: {“name”: “HR”}, “11”: {“name”: “Legal”}, “22”: {“name”: “Research”}, “33”: {“name”: “IT”}, “44”: {“name”: “Accounting”}, } } admins is a set that contains all of the [org_name, user_name] pairs that make the body true. admins == { ["Research", "bob"], ["IT", "charlie"], }
openpolicyagent.org Policies Apply Search Results to Make Decisions Input { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} }, “orgs”: { “00”: {“name”: “HR”}, “11”: {“name”: “Legal”}, “22”: {“name”: “Research”}, ... Apply the search results allow { # allow admins to do everything admins[[_, input.user]] } admins[[org_name, user_name]] { user_obj := data.users[user_name] user_obj.admin == true org_name := data.orgs[user_obj.org_code].name } Check if bob is an admin Lookup IT admins Iterate over all pairs admins[[_, “bob”]] admins[[“IT”, name]] admins[x] { "method": "GET", "path": ["resources", "54cf10"], "user": "bob" } Data

Recomendados

OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 

Recomendados

OPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineOPA: The Cloud Native Policy Engine
OPA: The Cloud Native Policy EngineTorin Sandall
 
Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Open Policy Agent Deep Dive Seattle 2018
Open Policy Agent Deep Dive Seattle 2018Torin Sandall
 
Open Policy Agent
Open Policy AgentOpen Policy Agent
Open Policy AgentTorin Sandall
 
Securing APIs with Open Policy Agent
Securing APIs with Open Policy AgentSecuring APIs with Open Policy Agent
Securing APIs with Open Policy AgentNordic APIs
 
OPA APIs and Use Case Survey
OPA APIs and Use Case SurveyOPA APIs and Use Case Survey
OPA APIs and Use Case SurveyTorin Sandall
 
Introduction to OPA
Introduction to OPAIntroduction to OPA
Introduction to OPAKnoldus Inc.
 
How Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudHow Netflix Is Solving Authorization Across Their Cloud
How Netflix Is Solving Authorization Across Their CloudTorin Sandall
 
Policy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentPolicy Enforcement on Kubernetes with Open Policy Agent
Policy Enforcement on Kubernetes with Open Policy AgentVMware Tanzu
 
OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Building Modern APIs with GraphQL
Building Modern APIs with GraphQLBuilding Modern APIs with GraphQL
Building Modern APIs with GraphQLAmazon Web Services
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST APIAniruddh Bhilvare
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentationVibhor Grover
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramFIWARE
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsHydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Hello Cloud
 
Python Code Camp for Professionals 3/4
Python Code Camp for Professionals 3/4Python Code Camp for Professionals 3/4
Python Code Camp for Professionals 3/4DEVCON
 
How Bitbucket Pipelines Loads Connect UI Assets Super-fast
How Bitbucket Pipelines Loads Connect UI Assets Super-fastHow Bitbucket Pipelines Loads Connect UI Assets Super-fast
How Bitbucket Pipelines Loads Connect UI Assets Super-fastAtlassian
 

Más contenido relacionado

La actualidad más candente

OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agentKnoldus Inc.
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing AuthorizationTorin Sandall
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak Abhishek Koserwal
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesTorin Sandall
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developersPatrick Savalle
 
Building Modern APIs with GraphQL
Building Modern APIs with GraphQLBuilding Modern APIs with GraphQL
Building Modern APIs with GraphQLAmazon Web Services
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentCloudOps2005
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Torsten Lodderstedt
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsJon Todd
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration TestingPichaya Morimoto
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentationVibhor Grover
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?LunchBadger
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramFIWARE
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloakGuy Marom
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecAdam Paxton
 
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsHydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsMarkus Lanthaler
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Hello Cloud
 

La actualidad más candente (20)

OPA open policy agent
OPA open policy agentOPA open policy agent
OPA open policy agent
 
Implementing Authorization
Implementing AuthorizationImplementing Authorization
Implementing Authorization
 
Building secure applications with keycloak
Building secure applications with keycloak Building secure applications with keycloak
Building secure applications with keycloak
 
Enforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in KubernetesEnforcing Bespoke Policies in Kubernetes
Enforcing Bespoke Policies in Kubernetes
 
REST-API introduction for developers
REST-API introduction for developersREST-API introduction for developers
REST-API introduction for developers
 
Building Modern APIs with GraphQL
Building Modern APIs with GraphQLBuilding Modern APIs with GraphQL
Building Modern APIs with GraphQL
 
Kubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy AgentKubernetes Security with Calico and Open Policy Agent
Kubernetes Security with Calico and Open Policy Agent
 
Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2Comprehensive overview FAPI 1 and FAPI 2
Comprehensive overview FAPI 1 and FAPI 2
 
REST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTsREST Service Authetication with TLS & JWTs
REST Service Authetication with TLS & JWTs
 
Burp Extender API for Penetration Testing
Burp Extender API for Penetration TestingBurp Extender API for Penetration Testing
Burp Extender API for Penetration Testing
 
An Introduction To REST API
An Introduction To REST APIAn Introduction To REST API
An Introduction To REST API
 
Graphql presentation
Graphql presentationGraphql presentation
Graphql presentation
 
What is an API Gateway?
What is an API Gateway?What is an API Gateway?
What is an API Gateway?
 
FIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced OperationsFIWARE Training: NGSI-LD Advanced Operations
FIWARE Training: NGSI-LD Advanced Operations
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers ProgramSession 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
Session 2 - NGSI-LD primer & Smart Data Models | Train the Trainers Program
 
Secure your app with keycloak
Secure your app with keycloakSecure your app with keycloak
Secure your app with keycloak
 
Designing APIs with OpenAPI Spec
Designing APIs with OpenAPI SpecDesigning APIs with OpenAPI Spec
Designing APIs with OpenAPI Spec
 
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIsHydra: A Vocabulary for Hypermedia-Driven Web APIs
Hydra: A Vocabulary for Hypermedia-Driven Web APIs
 
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023Service Mesh @Lara Camp Myanmar - 02 Sep,2023
Service Mesh @Lara Camp Myanmar - 02 Sep,2023
 

Similar a Rego Deep Dive

Python Code Camp for Professionals 3/4
Python Code Camp for Professionals 3/4Python Code Camp for Professionals 3/4
Python Code Camp for Professionals 3/4DEVCON
 
How Bitbucket Pipelines Loads Connect UI Assets Super-fast
How Bitbucket Pipelines Loads Connect UI Assets Super-fastHow Bitbucket Pipelines Loads Connect UI Assets Super-fast
How Bitbucket Pipelines Loads Connect UI Assets Super-fastAtlassian
 
2011 august-gdd-mexico-city-rest-json-oauth
2011 august-gdd-mexico-city-rest-json-oauth2011 august-gdd-mexico-city-rest-json-oauth
2011 august-gdd-mexico-city-rest-json-oauthikailan
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009Chris Chabot
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreStormpath
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreNate Barbettini
 
Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleAtlassian
 
ES3-2020-06 Test Driven Development (TDD)
ES3-2020-06 Test Driven Development (TDD)ES3-2020-06 Test Driven Development (TDD)
ES3-2020-06 Test Driven Development (TDD)David Rodenas
 
Python Code Camp for Professionals 4/4
Python Code Camp for Professionals 4/4Python Code Camp for Professionals 4/4
Python Code Camp for Professionals 4/4DEVCON
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using DjangoNathan Eror
 
Django for Beginners
Django for BeginnersDjango for Beginners
Django for BeginnersJason Davies
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsTorin Sandall
 
PHP Server side restful API - linkedin
PHP Server side restful API - linkedinPHP Server side restful API - linkedin
PHP Server side restful API - linkedinVũ Quang Sơn
 
Reactive Type safe Webcomponents with skateJS
Reactive Type safe Webcomponents with skateJSReactive Type safe Webcomponents with skateJS
Reactive Type safe Webcomponents with skateJSMartin Hochel
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Stamatis Zampetakis
 
Gaelyk: Lightweight Groovy on the Google App Engine
Gaelyk: Lightweight Groovy on the Google App EngineGaelyk: Lightweight Groovy on the Google App Engine
Gaelyk: Lightweight Groovy on the Google App EngineTim Berglund
 
Comprehensive Browser Automation Solution using Groovy, WebDriver & Obect Model
Comprehensive Browser Automation Solution using Groovy, WebDriver & Obect ModelComprehensive Browser Automation Solution using Groovy, WebDriver & Obect Model
Comprehensive Browser Automation Solution using Groovy, WebDriver & Obect ModelvodQA
 
Pyramid Lighter/Faster/Better web apps
Pyramid Lighter/Faster/Better web appsPyramid Lighter/Faster/Better web apps
Pyramid Lighter/Faster/Better web appsDylan Jay
 
MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...
MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...
MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...Jitendra Bafna
 

Similar a Rego Deep Dive (20)

Python Code Camp for Professionals 3/4
Python Code Camp for Professionals 3/4Python Code Camp for Professionals 3/4
Python Code Camp for Professionals 3/4
 
How Bitbucket Pipelines Loads Connect UI Assets Super-fast
How Bitbucket Pipelines Loads Connect UI Assets Super-fastHow Bitbucket Pipelines Loads Connect UI Assets Super-fast
How Bitbucket Pipelines Loads Connect UI Assets Super-fast
 
2011 august-gdd-mexico-city-rest-json-oauth
2011 august-gdd-mexico-city-rest-json-oauth2011 august-gdd-mexico-city-rest-json-oauth
2011 august-gdd-mexico-city-rest-json-oauth
 
The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009The Open & Social Web - Kings of Code 2009
The Open & Social Web - Kings of Code 2009
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
Building Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET CoreBuilding Beautiful REST APIs in ASP.NET Core
Building Beautiful REST APIs in ASP.NET Core
 
Connect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick StreuleConnect Intergration Patterns: A Case Study - Patrick Streule
Connect Intergration Patterns: A Case Study - Patrick Streule
 
ES3-2020-06 Test Driven Development (TDD)
ES3-2020-06 Test Driven Development (TDD)ES3-2020-06 Test Driven Development (TDD)
ES3-2020-06 Test Driven Development (TDD)
 
Python Code Camp for Professionals 4/4
Python Code Camp for Professionals 4/4Python Code Camp for Professionals 4/4
Python Code Camp for Professionals 4/4
 
Building a Dynamic Website Using Django
Building a Dynamic Website Using DjangoBuilding a Dynamic Website Using Django
Building a Dynamic Website Using Django
 
Django for Beginners
Django for BeginnersDjango for Beginners
Django for Beginners
 
Dynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker EnvironmentsDynamic Authorization & Policy Control for Docker Environments
Dynamic Authorization & Policy Control for Docker Environments
 
PHP Server side restful API - linkedin
PHP Server side restful API - linkedinPHP Server side restful API - linkedin
PHP Server side restful API - linkedin
 
Reactive Type safe Webcomponents with skateJS
Reactive Type safe Webcomponents with skateJSReactive Type safe Webcomponents with skateJS
Reactive Type safe Webcomponents with skateJS
 
Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21Apache Calcite Tutorial - BOSS 21
Apache Calcite Tutorial - BOSS 21
 
Gaelyk: Lightweight Groovy on the Google App Engine
Gaelyk: Lightweight Groovy on the Google App EngineGaelyk: Lightweight Groovy on the Google App Engine
Gaelyk: Lightweight Groovy on the Google App Engine
 
Android Data Binding from zero
Android Data Binding from zeroAndroid Data Binding from zero
Android Data Binding from zero
 
Comprehensive Browser Automation Solution using Groovy, WebDriver & Obect Model
Comprehensive Browser Automation Solution using Groovy, WebDriver & Obect ModelComprehensive Browser Automation Solution using Groovy, WebDriver & Obect Model
Comprehensive Browser Automation Solution using Groovy, WebDriver & Obect Model
 
Pyramid Lighter/Faster/Better web apps
Pyramid Lighter/Faster/Better web appsPyramid Lighter/Faster/Better web apps
Pyramid Lighter/Faster/Better web apps
 
MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...
MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...
MuleSoft Surat Live Demonstration Virtual Meetup#5 - Salesforce Composite Con...
 

Último

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Principled Technologies
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 

Último (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Rego Deep Dive

  • 2. openpolicyagent.org OPA: Add fine-grained policy to other projects OPA Cloud Orchestrator Risk Management Linux Container Execution, SSH, sudo OPA Hashicorp Terraform OPA Microservice APIs Istio Linkerd OPA Placement & Admission Control
  • 3. openpolicyagent.org Use OPA to policy-enable your project Integrate Offload policy decisions from your project to OPA Author Write OPA policies that make decisions Manage Deploy OPA, retrieve policy, audit decisions, monitor health 1 2 3
  • 4. Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Any/All ○ Non-boolean Decisions
  • 5. How Policies are Invoked ● Overview ● Example: ○ HTTP API Authorization
  • 7. openpolicyagent.org How Policies are Invoked DataLogic POST v1/data/<policy-name> {“input”: <JSON>} 1. Decision Request Any JSON value: ● "alice" ● ["api", "v1", "cars"] ● {"headers": {...}}
  • 8. openpolicyagent.org How Policies are Invoked DataLogic 200 OK {“result”: <JSON>} 1. Decision Request 2. Decision Response Any JSON value: ● true, false ● "bob" ● {"servers": ["server-001", …]} POST v1/data/<policy-name> {“input”: <JSON>} Any JSON value: ● "alice" ● ["api", "v1", "cars"] ● {"headers": {...}}
  • 9. openpolicyagent.org How Policies are Invoked DataLogic 200 OK {“result”: <JSON>} Input is JSON. Policy decision is JSON. 1. Decision Request 2. Decision Response POST v1/data/<policy-name> {“input”: <JSON>} Any JSON value: ● true, false ● "bob" ● {"servers": ["server-001", …]} Any JSON value: ● "alice" ● ["api", "v1", "cars"] ● {"headers": {...}}
  • 10. openpolicyagent.org Example: HTTP API Authorization DataLogic
  • 11. openpolicyagent.org Example: HTTP API Authorization DataLogic 1. Example Request to OPA POST v1/data/http/authz/allow {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} 1
  • 12. openpolicyagent.org Example: HTTP API Authorization DataLogic 1. Example Request to OPA 2. Example Policy in OPA POST v1/data/http/authz/allow {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} package http.authz allow { input.user == “bob” } 1 2
  • 13. openpolicyagent.org Example: HTTP API Authorization DataLogic 1. Example Request to OPA 2. Example Policy in OPA 3. Example Response from OPA POST v1/data/http/authz/allow {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} package http.authz allow { input.user == “bob” } {“result”: true} 1 2 3
  • 14. Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Non-boolean Decisions
  • 15. Simple Policies ● Lookup values ● Compare values ● Assign values ● Create rules ● Create functions ● Use context (data)
  • 16. openpolicyagent.org Lookup and Compare Values { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input input.method input.path[0] Lookup values.
  • 17. openpolicyagent.org Lookup and Compare Values { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input input.method == “GET” input.path[0] == “finance” input.user != input.method Lookup values. Compare values.
  • 18. openpolicyagent.org Lookup and Compare Values { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input input.method == “GET” input.path[0] == “finance” input.user != input.method startswith(input.path[1], “sal”) count(input.path) > 2 Lookup values. Compare values. See 50+ operators documented at openpolicyagent.org/docs/language-reference.html
  • 19. openpolicyagent.org path := input.path path[2] == "alice" Assign Values to Variables { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Input Assign variables. Use variables like input.
  • 20. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow = true { input.method == "GET" input.user == "bob" }
  • 21. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow = true { input.method == "GET" input.user == "bob" } Rule Head
  • 22. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow = true { input.method == "GET" input.user == "bob" } Rule Head Name allow Value true
  • 23. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Head Name allow Value true
  • 24. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Body
  • 25. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Body Multiple statements in rule body are ANDed together.
  • 26. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Rules have a Head and a Body. allow { input.method == "GET" input.user == "bob" } Rule Body Multiple statements in rule body are ANDed together. allow is true IF input.method equals "GET" AND input.user equals "bob"
  • 27. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Multiple rules with same name. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }
  • 28. openpolicyagent.org Input Create Rules { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Multiple rules with same name. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }Rule Head Multiple statements with same head are ORed together.
  • 29. openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Rules can be undefined. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }
  • 30. openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Rules can be undefined. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } Different method. "POST" instead of "GET"
  • 31. openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Rules can be undefined. allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } Different method. "POST" instead of "GET" Neither rule matches. allow is undefined (not false!)
  • 32. openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Use default keyword. default allow = false allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] }
  • 33. openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Use default keyword. default allow = false allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } default <name> = <value> If no rules match default value is returned.
  • 34. openpolicyagent.org Create Rules Input { "method": "POST", "path": ["finance", "salary", "alice"], "user": "bob" } Use default keyword. default allow = false allow { input.method == "GET" input.user == "bob" } allow { input.method == "GET" input.user == input.path[2] } default <name> = <value> If no rules match default value is returned. at most one default per rule set
  • 35. openpolicyagent.org Create Functions Input { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Path is a string now.
  • 36. openpolicyagent.org Create Functions Input { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Example rule default allow = false allow { trimmed := trim(input.path, "/") path := split(trimmed, "/") path = ["finance", "salary", user] input.user == user } Path is a string now.
  • 37. openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Example rule default allow = false allow { trimmed := trim(input.path, "/") path := split(trimmed, "/") path = ["finance", "salary", user] input.user == user } Path is a string now. Avoid duplicating common logic like string manipulation
  • 38. openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Put common logic into functions default allow = false allow { path := split_path(input.path) path = ["finance", "salary", user] input.user == user } split_path(str) = parts { trimmed := trim(str, "/") parts := split(trimmed, "/") } Path is a string now. Avoid duplicating common logic like string manipulation
  • 39. openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Functions are Rules with arguments. read_method(str) = true { str == "GET" } read_method(str) = true { str == "HEAD" }
  • 40. openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Functions are Rules with arguments. read_method(str) = true { str == "GET" } read_method(str) = true { str == "HEAD" } "Function" Head Multiple statements with same head are ORed together.
  • 41. openpolicyagent.org { "method": "GET", "path": "/finance/salary/alice", "user": "bob" } Create Functions Input Functions are Rules with arguments. read_method(str) { str == "GET" } read_method(str) { str == "HEAD" } "Function" Head Multiple statements with same head are ORed together.
  • 42. openpolicyagent.org Policies can use Context from Outside World PUT v1/data/<path> HTTP/1.1 Content-Type: application/json <JSON> Load Context/Data Into OPA DataLogic
  • 43. openpolicyagent.org { "users": { "alice": {"department": "legal"}, "bob": {"department": "hr"}, "janet": {"department": "r&d"} } } { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob" } Policies Use Context Data (context) Policy allow { # Users can access their own salary input.user == input.path[2] } allow { # HR can access any salary user := data.users[input.user] user.department == "hr" } Input
  • 44. openpolicyagent.org Summary Lookup values input.path[1] Compare values "bob" == input.user Assign values user := input.user Rules <head> { <body> } Rule Head <name> = <value> { … } or <name> { … } Rule Body <statement-1>; <statement-2>; … (ANDed) Multiple Rules with same name <rule-1> OR <rule-2> OR ... Default Rule Value default <name> = <value> Functions Rules with arguments Context Reference with data. instead of input.
  • 45. Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Any/All ○ Non-boolean Decisions
  • 46. Policies With Iteration ● Iteration ● Virtual documents ● Virtual documents vs Functions
  • 47. openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is at element 0 allow { input.resource == data.resources[0].id input.user == data.resources[0].owner } What about Arrays? Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data
  • 48. openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is at element 0 allow { input.resource == data.resources[0].id input.user == data.resources[0].owner } # OR if resource is at element 1 allow { input.resource == data.resources[1].id input.user == data.resources[1].owner } What about Arrays? Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data
  • 49. openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is at element 0 allow { input.resource == data.resources[0].id input.user == data.resources[0].owner } # OR if resource is at element 1 allow { input.resource == data.resources[1].id input.user == data.resources[1].owner } ... What about Arrays? Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data Problem: Unknown number of elements. Cannot write allow for every index.
  • 50. openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is anywhere in array allow { input.resource == data.resources[index].id input.user == data.resources[index].owner } Iterate over Arrays Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data
  • 51. openpolicyagent.org { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ... ], ... } # allow if resource is anywhere in array allow { input.resource == data.resources[index].id input.user == data.resources[index].owner } Iterate over Arrays Allow if user owns resource. Not sure where resource is in array { "user": "alice" "resource": "54cf10", } Input Data Solution: ● allow is true if SOME value for index makes the rule body true. ● OPA automatically iterates over values for index. ● allow is true for index = 0
  • 52. openpolicyagent.org Iterate over Everything Iterate over arrays/dictionaries (whether input or data) # Iterate over array indexes/values resource_obj := data.resources[index] # Iterate over dictionary key/values user_obj := data.users[name] # Doesn’t matter whether input or data value := input[key] # Use _ to ignore variable name # Iterate over just the array values resource_obj := data.resources[_] { "method": "GET", "path": ["resources", "54cf10"], "user": "bob" } Input { "resources": [ {"id": "54cf10", "owner": "alice"}, {"id": "3df429": "owner": "bob"} ], "users": { "alice": {"admin": false}, "bob": {"admin": true}, "charlie": {"admin": true}, } } Data
  • 53. openpolicyagent.org Duplicated Logic Happens with Iteration too { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data allow { user := data.users[_] user.admin == true user.name == input.user input.method == “GET” } allow { user := data.users[_] user.admin == true user.name == input.user input.method == “POST” } Duplicated logic with iteration
  • 54. openpolicyagent.org Duplicated Logic Happens with Iteration too { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data allow { user := data.users[_] user.admin == true user.name == input.user input.method == “GET” } allow { user := data.users[_] user.admin == true user.name == input.user input.method == “POST” } Duplicated logic with iteration Avoid duplicating common logic like a search for admins
  • 55. openpolicyagent.org Create a Virtual Document { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data allow { admin[input.user] input.method == “GET” } allow { admin[input.user] input.method == “POST” } admin[user.name] { user := data.users[_] user.admin == true } Duplicated logic with iteration admin is a set that contains all of the admin names Sets are an extension of JSON. admin == { "bob", "charlie" }
  • 56. openpolicyagent.org Different Syntaxes for Virtual Sets { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } admin[user.name] { user := data.users[_] user.admin == true } Data Rule Syntax admin = {user.name | user := data.users[_] user.admin == true } Set Comprehension Syntax
  • 57. openpolicyagent.org Different Syntaxes for Virtual Sets { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } admin[user.name] { user := data.users[_] user.admin == true } Data Rule Syntax admin = {user.name | user := data.users[_] user.admin == true } Set Comprehension Syntax Supports OR with multiple rules. No support for OR.
  • 58. openpolicyagent.org Create Virtual Dictionaries too { “users”: [ {"name": "alice", "admin": false, “dept”: “eng”}, {"name": "bob", "admin": true, “dept”: “hr”}, {"name": "charlie", "admin": true, “dept”: “eng”}, } } Data admin[user.name] = user.dept { user := data.users[_] user.admin == true } Rule Syntax admin = {user.name: user.dept | user := data.users[_] user.admin == true } Dictionary Comprehension Syntax
  • 59. openpolicyagent.org Virtual Docs support iteration. Functions don’t. admin[user_name] = user.dept { user := data.users[_] user.admin == true user.name == user_name } admin(user_name) = user.dept { user := data.users[_] user.admin == true user.name == user_name } Dictionary Function # lookup bob’s department admin[“bob”] # iterate over all user/dept pairs admin[user] = department # iterate over everyone in HR admin[user] == “hr” # lookup bob’s department admin(“bob”) # iterate over all user/dept pairs Can’t. Write different function. # iterate over everyone in HR Can’t.
  • 60. openpolicyagent.org Virtual Documents must be finite. Functions don’t. Can’t express split_path. Virtual docs must be “safe”. Safety means the set of all input/output pairs is finite. split_path takes any string as input. There are infinitely strings. split_path(str) = parts { trimmed := trim(str, "/") parts := split(trimmed, "/") } Virtual Doc Function
  • 61. Agenda ● How Policies are Invoked ● Simple Policies ● Policies with Iteration ● Additional Topics ○ Modularity ○ Negation ○ Any/All ○ Non-boolean Decisions
  • 62. openpolicyagent.org People can Create Multiple Policies and Delegate package http.service_graph allow { input.source == “frontend” input.destination == “finance” } ... Service graph policy package http.org_chart allow { admin[user.input] } ... Organization chart policy package http.authz import data.http.service_graph import data.http.org_chart allow { org_chart.allow service_graph.allow } Entry point policy
  • 63. openpolicyagent.org Policies can use Negation package http.service_graph deny { input.source == “frontend” input.destination == “finance” } ... Service graph policy package http.org_chart allow { admin[user.input] } Organization chart policy package http.authz import data.http.service_graph import data.http.org_chart allow { org_chart.allow not service_graph.deny not deny } deny { ... } Entry point policy
  • 64. openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. Wrong ans: all_admins = true { data.users[user_name].admin == true }
  • 65. openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. Wrong ans: all_admins = true { data.users[user_name].admin == true } Problem: all_admins is true if ANY users are admins.
  • 66. openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. all_admins = true { not any_non_admins } any_non_admins = true { user := data.users[user_name] not user.admin } Solution: 1. Check if any users are NOT admins 2. Complement (1)
  • 67. openpolicyagent.org { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} } } Any vs. All Data Check if all users are admins. all_admins = true { not any_non_admins } any_non_admins = true { user := data.users[user_name] not user.admin } Solution: 1. Check if any users are NOT admins 2. Complement (1)
  • 68. openpolicyagent.org allow/deny are NOT special. Decisions are JSON DataLogic POST v1/data/http/authz/admin {"input": { "method": "GET", "path": ["finance", "salary", "alice"], "user": "bob"}} 2. Example Policy 1. Example Request 3. Example Response {“result”: [“bob”, “charlie”]} package http.authz import data.http.service_graph import data.http.org_chart admin[x] { org_chart.admin[x] } admin[x] { service_graph.admin[x] } Sets defined with multiple rules are unioned together. Policy decision can be any JSON data: boolean, number, string, null, array, or dictionary. Sets are serialized to JSON arrays.
  • 71. openpolicyagent.org Policies Iterate to Search for Data { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} }, “orgs”: { “00”: {“name”: “HR”}, “11”: {“name”: “Legal”}, “22”: {“name”: “Research”}, “33”: {“name”: “IT”}, “44”: {“name”: “Accounting”}, } } Data Search for the data you need user_obj user_name org_name {"admin": true, ...} bob Research {"admin": true, ...} charlie IT # Find admin users and their organization user_obj := data.users[user_name]; user_obj.admin == true; org_name := data.orgs[user_obj.org_code].name Variable assignments that satisfy search criteria
  • 72. openpolicyagent.org Policies Give Names to Search Results Data Name the search results admins[[org_name, user_name]] { user_obj := data.users[user_name] user_obj.admin == true org_name := data.orgs[user_obj.org_code].name } { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} }, “orgs”: { “00”: {“name”: “HR”}, “11”: {“name”: “Legal”}, “22”: {“name”: “Research”}, “33”: {“name”: “IT”}, “44”: {“name”: “Accounting”}, } } admins is a set that contains all of the [org_name, user_name] pairs that make the body true. admins == { ["Research", "bob"], ["IT", "charlie"], }
  • 73. openpolicyagent.org Policies Apply Search Results to Make Decisions Input { “users”: { "alice": {"admin": false, “org_code”: “11”}, "bob": {"admin": true, “org_code”: “22”}, "charlie": {"admin": true, “org_code”: “33”} }, “orgs”: { “00”: {“name”: “HR”}, “11”: {“name”: “Legal”}, “22”: {“name”: “Research”}, ... Apply the search results allow { # allow admins to do everything admins[[_, input.user]] } admins[[org_name, user_name]] { user_obj := data.users[user_name] user_obj.admin == true org_name := data.orgs[user_obj.org_code].name } Check if bob is an admin Lookup IT admins Iterate over all pairs admins[[_, “bob”]] admins[[“IT”, name]] admins[x] { "method": "GET", "path": ["resources", "54cf10"], "user": "bob" } Data