Watch rules changes on remote repositories

ory / oathkeeper

A cloud native Identity & Access Proxy / API (IAP) and Access Control Decision API that authenticates, authorizes, and mutates incoming HTTP(s) requests. Inspired by the BeyondCorp / Zero Trust white paper. Written in Go.

Apache License 2.0

3.23k stars 356 forks source link

Preflight checklist

[X] I could not find a solution in the existing issues, docs, nor discussions.
[X] I agree to follow this project's Code of Conduct.
[X] I have read and am following this repository's Contribution Guidelines.
[ ] This issue affects my Ory Network project.
[X] I have joined the Ory Community Slack.
[X] I am signed up to the Ory Security Patch Newsletter.

Describe your problem

Matching rules and Oathkeeper instances deployed can follow different lifecycle for fs type repositories because there are reloaded automatically on watch changed. We may want to update the rules without deploying again OAthkeeper when the repositories are remote repositories (s3, gcs, azblob) as well.

Describe your ideal solution

A convenient solution would be to fetch again the rules from the remote repository when those rules change.

One solution could be to use a watcher on the buckets when it is possible but it can lead to higher permission needs in order to apply this watcher.

Another solution would be to scrape with a configurable duration interval the content of the bucket and/or the objects metadata to detect rules file changes. The scrape behavior is something similar to the Prometheus mechanism for instance. The advantage of this solution is that does not require higher privileges and is flexible with some configurations.

Workarounds or alternatives

An alternative would be to use the existing FS watcher and make the pull mechanism described above run on as a cron for example.

Another alternative is to deploy again each time a rules change has been done.

Version

0.40

Additional Context

OAthKeeper is planned to be deployed to authenticate requests in a distributed (microservices) architecture.

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

open a PR referencing and resolving the issue;
leave a comment on it and discuss ideas on how you could contribute towards resolving it;
leave a comment and describe in detail why this issue is critical for your use case;
open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

ory / oathkeeper