search

gravitational / teleport

The easiest, and most secure way to access and protect all of your infrastructure.
https://goteleport.com
GNU Affero General Public License v3.0
17.41k stars 1.74k forks source link

Consider adding support for Open Policy Agent #4597

Open klizhentas opened 3 years ago

klizhentas commented 3 years ago

Feature Request

https://www.openpolicyagent.org/

Embed it as a library to support RBAC definitiions, people can create OPA roles in our RBAC:

role: v3
name: opa-policy
spec:
   policy | 
      package application.authz

      # Only owner can update the pet's information
      # Ownership information is provided as part of OPA's input
      default allow = false
      allow {
          input.method == "PUT"
           some petid
           input.path = ["pets", petid]
           input.user == input.owner
      }
klizhentas commented 3 years ago

Any community interest? :+1: if you are interested in using it and share your use case

benarent commented 3 years ago

We've a +1 from a community user. https://github.com/gravitational/teleport/issues/3454#issuecomment-679830076

rosskusler commented 3 years ago

One use case would be fine grained control over who can login under what conditions. Alice can login to this server, but only between 8-5 PT, etc. Kelly can log into this server, but only from the Miami jumphost. Jerry can ssh into this server, but only if running a non-interactive command that matches the pattern 'rm /home/jerry/logs//.gz', etc.

jonathanmyers commented 3 years ago

We've encountered a limitation of teleport's existing yaml RBAC scheme that OPA would solve. kubernetes_label and kubernetes_group are not related, so it's not possible to selectively grant a role on one cluster without granting it on all clusters. For example, we would like to grant a role system:masters permissions on one cluster, but a limited role on all others, but today adding system:masters to a role grants them that permission on all enabled clusters.

Of course, this could be fixed by changing teleport's current yaml configuration to support binding these two flags, but I suspect there will be other cases like this as users try to set up more complex RBAC controls. Open policy agent as a general purpose solution is attractive since it would support arbitrarily complex policies.

OPA is also an interesting possibility for more standard authorization, which would be helpful since many current teleport users like us have to juggle identity provider RBAC (eg. Okta), teleport RBAC, cloud provider RBAC (e.g. AWS IAM), and kubernetes RBAC.

Valien commented 2 years ago

+1 for interest here as well. Talking to a group that is also interested in adding this capability into Teleport.

tz-torchai commented 2 years ago

It seems this issue has gained a lot more community interests comparing to other open issues.

Just to add some info here, there is gatekeeper with some benefits comparing to OPA.

kotyara85 commented 2 years ago

+1

kotyara85 commented 2 years ago

Would be cool to actually plug it in as an external rbac system

dumez-k commented 1 year ago

Was just asked by a potential customer about Teleport's OPA support at KubeconEU.

jwieder commented 2 weeks ago

im an enterprise customer with likely use case for this