search

opentdf / platform

Persistent data centric security that extends owner control wherever data travels
BSD 3-Clause Clear License
19 stars 11 forks source link

ADR: Open Policy Agent (OPA) removal #630

Closed pflynn-virtru closed 7 months ago

pflynn-virtru commented 7 months ago

Open Policy Agent removal

Context and Problem Statement

Currently, we use OPA for our entitlement PDP.

Screenshot 2024-04-22 at 2 25 22 PM

This is the next iteration, soon-to-be-merged. Note most logic is removed from .rego, basically it is just glue at this point.

Screenshot 2024-04-24 at 11 21 18 AM

Relevant ADR

Entitlement Policy Deployment Model https://github.com/opentdf/platform/issues/472 Configuration Service https://github.com/virtru-corp/adr/blob/main/docs/decisions/ar-8-config-service-v2.md

Decision Outcome

Decision Notes

Decision Drivers

Considered Options

⚖️ Remove OPA library

Create a pure Go implementation of the Entitlement PDP. Mimic what is done with Access PDP

⚖️ Optional OPA library

Create a pure Go implementation of the Entitlement PDP. Leave OPA-Entitlement PDP. Create a configuration to enable.

authorization:
  entitlement:
    # native Golang
    pdp: default
    # unsupported OPA
    pdp: opa

⚖️ Optional Entitlement PDP Service integration with OPA example

Create a pure Go implementation of the Entitlement PDP. Remove OPA-Entitlement PDP. Create a configuration to enable.

authorization:
  entitlement:
    # native Golang
    pdp: default
    # unsupported
    pdp: remote
    url: https://pdp-opa-service/entitlement

The design could be similar to the v1 entitlement PDP https://github.com/opentdf/backend/tree/main/containers/entitlement-pdp

⚖️ Support and Keep OPA

jrschumacher commented 7 months ago

Great work @pflynn-virtru. I think you are calling out some important trade-offs. It seems that if we chose Option 1 we could cue up additional work to implement Option 3. Would this enable customers to hook into their existing authorization service like Strya, Permit.io, or AuthZed?

strantalis commented 7 months ago

@pflynn-virtru Thanks for putting this together. In option 3 it would be neat if we defined a set of protobuf that someone could implement. This way we would have that strict contract when calling out to those external services.

I believe istio does something similar here with the external authorizer.

ttschampel commented 7 months ago

I think we either do nothing or option 1.

It sounds like OPA is causing to much friction at the moment for our developers; if this is true then option 1 seems like the only choice.

We have not fully implemented and tested a full set of scenarios E2E flows through the Authorization Service RPCs; given this current state I think only option 1 really makes sense. The ERS will capture the complexity and customization for near term deployments. Until we fully understand what should be easily configurable (ABAC auth, entitlements, entity resolution, etc.)

An example would be someone has their own entitlements service already. Does the entitlement service speak ABAC and the Attribute space within the deployment? Should those entitlements be transformed via subject mappings? At a certain point someone could just use the existing spec and plugin in their own RPCs per the protobuf service apis.

damorris25 commented 7 months ago

I'd advocate doing nothing until we have a fully working platform that is stable, reliable, and well-documented. At that stage, iterating on improvements to the platform would make sense.

pflynn-virtru commented 7 months ago

Added last minute option: "Support and Keep OPA"