OPAAuthzMiddleware (Open Policy Agent)
Overview
OPAAuthzMiddleware authorize requests with Open Policy Agent.
Config yaml format becomes like below. And the resource specific spec is defined in in the proto format shown in the Resource Definition.
apiVersion: app/v1
kind: OPAAuthzMiddleware
metadata:
name: "default"
namespace: "default"
spec: {}
Resource Definition
OPAAuthzMiddleware is defined in the proto/app/v1/authz/opa.proto
1syntax = "proto3";
2package app.v1;
3
4import "buf/validate/validate.proto";
5import "kernel/resource.proto";
6
7option go_package = "github.com/aileron-gateway/aileron-gateway/apis/app/v1";
8
9// OPAAuthzMiddleware resource definition.
10// apiVersion="app/v1", kind="OPAAuthzMiddleware".
11message OPAAuthzMiddleware {
12 string APIVersion = 1 [json_name = "apiVersion"];
13 string Kind = 2 [json_name = "kind"];
14 kernel.Metadata Metadata = 3 [json_name = "metadata"];
15 OPAAuthzMiddlewareSpec Spec = 4 [json_name = "spec"];
16}
17
18// OPAAuthzMiddlewareSpec is the specifications of the OPAAuthzMiddleware object.
19message OPAAuthzMiddlewareSpec {
20 // [OPTIONAL]
21 // Logger is the reference to a Logger object.
22 // Referred object must implement Logger interface.
23 // Default Logger is used when not set.
24 kernel.Reference Logger = 1 [json_name = "logger"];
25
26 // [OPTIONAL]
27 // ErrorHandler is the reference to a ErrorHandler object.
28 // Referred object must implement ErrorHandler interface.
29 // Default error handler is used when not set.
30 kernel.Reference ErrorHandler = 2 [json_name = "errorHandler"];
31
32 // [OPTIONAL]
33 // ClaimsKey is the key to get claims to be used for authorization.
34 // This value should be matched to the one which is set in the authentication handler
35 // when using this authorization handler with any authentication handler.
36 // Found values are accessible from rego through "input.auth".
37 // Default is ["AuthnClaims"].
38 string ClaimsKey = 3 [json_name = "claimsKey", (buf.validate.field).string.pattern = "^[0-9A-Za-z-_.]+$"];
39
40 // [OPTIONAL]
41 // EnvData allows optional input of host environment information.
42 // Configured data is available as "input.env" in regos.
43 // Default is not set.
44 EnvDataSpec EnvData = 5 [json_name = "envData"];
45
46 // [OPTIONAL]
47 // Regos is the list of rego policies.
48 // This is optional but should be set at least one to make authorization work.
49 // Default is not set.
50 repeated RegoSpec Regos = 6 [json_name = "regos"];
51
52 // [OPTIONAL]
53 // EnableTrace enables tracing of the policy decision.
54 // Tace logs are input to the logger.
55 // Trace logs are output as-is even the logger is json-based structural logger.
56 // That means the trace logs are output with any log level.
57 // Trace should be disabled in production environment for performance.
58 // Default is [false].
59 bool EnableTrace = 7 [json_name = "enableTrace"];
60}
61
62// RegoSpec is the specification of a OPA rego.
63// See the OPA's official documents for details at https://www.openpolicyagent.org/docs/latest/
64message RegoSpec {
65 // [OPTIONAL]
66 // QueryParameter is the name of the parameter that is used in
67 // the Regos to represent the target was authrorized or not.
68 // For example, "data.authz.allow".
69 // Default is ["data.authz.allow"].
70 string QueryParameter = 1 [json_name = "queryParameter", (buf.validate.field).string.min_len = 1];
71
72 // [OPTIONAL]
73 // PolicyFiles is the list of Rego policy file paths.
74 // Online playground for rego is available at https://play.openpolicyagent.org/
75 // Policies are loaded as a module
76 // https://pkg.go.dev/github.com/open-policy-agent/opa/rego#Module.
77 // Default is not set.
78 repeated string PolicyFiles = 2 [json_name = "policyFiles", (buf.validate.field).repeated.min_items = 1];
79
80 // [OPTIONAL]
81 // BundlePaths is the list of bundle paths.
82 // If a path starts with "http://" or "https://",
83 // it is considered to be an endpoint to a bundle server and
84 // bundles are requested to the specified endpoint with GET request.
85 // If a path does not starts with "http://" or "https://",
86 // the path is considered to be a path in local file system.
87 // If a single file path is provided, it will be treated as a normal tarball bundle.
88 // If a directory path is provided, it will be loaded as an unzipped bundle tree.
89 // See https://www.openpolicyagent.org/docs/latest/management-bundles/.
90 // Default is not set.
91 repeated string BundlePaths = 3 [json_name = "bundlePaths"];
92
93 // [OPTIONAL]
94 // BundleVerification is the bundle verification configuration.
95 // To skip bundle verifications, use SkipBundleVerification.
96 // See https://www.openpolicyagent.org/docs/latest/management-bundles.
97 // Default is not set.
98 BundleVerificationSpec BundleVerification = 4 [json_name = "bundleVerification"];
99
100 // [OPTIONAL]
101 // SkipBundleVerification if true, skips verification of a signed bundle.
102 // To configure verification, use BundleVerification.
103 // See https://pkg.go.dev/github.com/open-policy-agent/opa/rego#SkipBundleVerification
104 // and https://www.openpolicyagent.org/docs/latest/management-bundles/#signature-verification.
105 // Default is [false].
106 bool SkipBundleVerification = 5 [json_name = "skipBundleVerification"];
107
108 // [OPTIONAL]
109 // EnablePrintStatements enables print() calls in regos.
110 // If false, print() calls will be erased from the policy.
111 // Note that the outputs of the print() stateents are passed to the logger as-is.
112 // It means they are output with any log levels and
113 // no formatting will be applied even using a json logger.
114 // See https://pkg.go.dev/github.com/open-policy-agent/opa/rego#EnablePrintStatements
115 // Default is [false].
116 bool EnablePrintStatements = 6 [json_name = "enablePrintStatements"];
117
118 // [OPTIONAL]
119 // ShallowInlining prevents rules that depend on unknown values
120 // from being inlined. Rules that only depend on known values are inlined.
121 // See https://pkg.go.dev/github.com/open-policy-agent/opa/rego#ShallowInlining
122 // Default is [false].
123 bool ShallowInlining = 7 [json_name = "shallowInlining"];
124
125 // [OPTIONAL]
126 // Strict enables or disables strict-mode in the compiler.
127 // See https://pkg.go.dev/github.com/open-policy-agent/opa/rego#Strict and
128 // https://www.openpolicyagent.org/docs/latest/policy-language/#strict-mode.
129 // Default is [false].
130 bool Strict = 8 [json_name = "strict"];
131
132 // [OPTIONAL]
133 // StrictBuiltinErrors tells the evaluator to treat
134 // all built-in function errors as fatal errors.
135 // See https://pkg.go.dev/github.com/open-policy-agent/opa/rego#StrictBuiltinErrors
136 // and https://www.openpolicyagent.org/docs/latest/policy-language/#errors.
137 // Default is [false].
138 bool StrictBuiltinErrors = 9 [json_name = "strictBuiltinErrors"];
139
140 // [OPTIONAL]
141 // RoundTripper is the references to a roundTripper object.
142 // Referred object must implement RoundTripper interface.
143 // This round tripper is used for getting data
144 // from the specified endpoints.
145 // Use Header field to add custom HTTP headers to the requests.
146 // Default is not set.
147 kernel.Reference RoundTripper = 10 [json_name = "roundTripper"];
148
149 // [OPTIONAL]
150 // Header is the HTTP header name and value list.
151 // Specified headers are added to the HTTP requests
152 // when getting model and policies from HTTP endpoints.
153 // This is mainly intended for adding Authorization header.
154 // Default is not set.
155 map<string, string> Header = 11 [json_name = "header"];
156
157 oneof Stores {
158 FileStore FileStore = 15 [json_name = "fileStore"];
159 HTTPStore HTTPStore = 16 [json_name = "httpStore"];
160 }
161}
162
163message BundleVerificationSpec {
164 // [REQUIRED]
165 // VerificationKeys is the list of verification keys
166 // used for verifying bundles.
167 // Default is not set.
168 repeated VerificationKeySpec VerificationKeys = 1 [json_name = "verificationKeys"];
169
170 // [REQUIRED]
171 // KeyID is the key id, or kid value of JWTs, used for validating bundles.
172 // If set, bundles must be signed with the specified key.
173 // At least a public key corresponding to this KeyID should be
174 // confiured to the PublicKeys.
175 // If not set, verification keys are looked up from PublicKeys
176 // with the kid obtained from bundles.
177 // Default is not set.
178 string KeyID = 2 [json_name = "keyID"];
179
180 // [OPTIONAL]
181 // Scope is the scope of valid bundle.
182 // If not set, scope value configured in the VerificationKeys
183 // are used.
184 // This value is optional but at least one of this field or
185 // Scope in the VerificationKeys are required for verification.
186 // Default is not set.
187 string Scope = 3 [json_name = "scope"];
188
189 // [OPTIONAL]
190 // Excludes are files in the bundle to exclude during verification.
191 // Default is not set.
192 repeated string Excludes = 4 [json_name = "excludes"];
193}
194
195message VerificationKeySpec {
196 // [REQUIRED]
197 // KeyID is the key id, or kid value of JWTs, of the key.
198 // Bundle verification keys are looked up by this id.
199 // Verification will fail if no keys were found.
200 // Default is not set.
201 string KeyID = 1 [json_name = "keyID"];
202
203 // [OPTIONAL]
204 // Scope is the scope that this key is valid.
205 // This value is overwritten by the value of BundleVerificationSpec.
206 // Default is not set.
207 string Scope = 2 [json_name = "scope"];
208
209 // [OPTIONAL]
210 // Algorithm is the signature algorith this key can be used for.
211 // Supported algorithms are as follows.
212 // "ES256", "ES384", "ES512"
213 // "HS256", "HS384", "HS512"
214 // "PS256", "PS384", "PS512"
215 // "RS256", "RS384", "RS512"
216 // If not set "RS256" is used.
217 // Default is not set.
218 string Algorithm = 3 [json_name = "algorithm"];
219
220 // [REQUIRED]
221 // KeyFile is the file path that contains key data
222 // corresponging to the algorithm.
223 // The file should contains common key for HS
224 // and pem format public key for others.
225 // For example, "/tmp/keys/foo_public.pem".
226 // Default is not set.
227 string KeyFile = 4 [json_name = "keyFile"];
228}
229
230message EnvDataSpec {
231 // [OPTIONAL]
232 // Vars is the list of environmental variable names
233 // to make accessible from rego.
234 // Values are available with "input.env.vars".
235 // Default is not set.
236 repeated string Vars = 1 [json_name = "vars"];
237
238 // [OPTIONAL]
239 // PID makes the Process ID available in regos.
240 // The PID is available with "input.env.pid".
241 // Default is [false].
242 bool PID = 2 [json_name = "pid"];
243
244 // [OPTIONAL]
245 // PPID makes the Parent Process ID available in regos.
246 // The PPID is available with "input.env.ppid".
247 // Default is [false].
248 bool PPID = 3 [json_name = "ppid"];
249
250 // [OPTIONAL]
251 // GID makes the Group ID available in regos.
252 // The GID is available with "input.env.gid".
253 // On Windows, -1.
254 // Default is [false].
255 bool GID = 4 [json_name = "gid"];
256
257 // [OPTIONAL]
258 // UID makes the User ID available in regos.
259 // The UID is available with "input.env.uid".
260 // Default is [false].
261 bool UID = 5 [json_name = "uid"];
262}
263
264message FileStore {
265 // [REQUIRED]
266 // Path is the storage path and data file path paires.
267 // Data file should go in the values and their paths in
268 // a storage should go in the keys.
269 // e.g. `"/authz": "data/authz/users.json"`.
270 // File extension must be one of ".csv", ".json", ".yaml", ".yml".
271 // Default is not set.
272 map<string, string> Path = 1 [json_name = "path"];
273
274 // [OPTIONAL]
275 // Directory is the directory for OPA disk storage.
276 // If set, the stored data is kept on the disk storage
277 // under the specified directory rather than using
278 // memory storage.
279 // Note that each files are temporarily load on memory
280 // of their entire data even using disk storage.
281 // If not set or empty string, all data is stored on a meory storage.
282 // See the following documentation for in-memory and disk storages.
283 // https://pkg.go.dev/github.com/open-policy-agent/opa/storage/disk
284 // https://pkg.go.dev/github.com/open-policy-agent/opa/storage/inmem
285 // Default is not set.
286 string Directory = 2 [json_name = "directory"];
287}
288
289message HTTPStore {
290 // [REQUIRED]
291 // Endpoint is the storage path and HTTP endpoint paires.
292 // Endpoints should go in the values and their paths in
293 // a storage should go in the keys.
294 // e.g. `"/authz": "http://example.com/data/authz/users.json"`.
295 // Response status code must be 200 OK.
296 // Response content-type must be "application/" or "text/"
297 // + one of "csv", "json", "yaml", "yml".
298 // Default is not set.
299 map<string, string> Endpoint = 1 [json_name = "endpoint"];
300
301 // [OPTIONAL]
302 // Directory is the directory for OPA disk storage.
303 // If set, the stored data is kept on the disk storage
304 // under the specified directory rather than using
305 // memory storage.
306 // Note that each files are temporarily load on memory
307 // of their entire data even using disk storage.
308 // If not set or empty string, all data is stored on a meory storage.
309 // See the following documentation for in-memory and disk storages.
310 // https://pkg.go.dev/github.com/open-policy-agent/opa/storage/disk
311 // https://pkg.go.dev/github.com/open-policy-agent/opa/storage/inmem
312 // Default is not set.
313 string Directory = 2 [json_name = "directory"];
314
315 // [OPTIONAL]
316 // Partitions is the list of partitions for disk storage.
317 // Partitions enables efficient data layout.
318 // Partitions are use only for disk storage and not
319 // used for in-memory storage.
320 // See the disk storage description here
321 // https://www.openpolicyagent.org/docs/latest/storage/
322 // https://www.openpolicyagent.org/docs/latest/configuration/#disk-storage
323 // Default is not set.
324 repeated string Partitions = 3 [json_name = "partitions"];
325}
フィードバック
このページは役に立ちましたか?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.