trinodb / aws-proxy

Proxy for S3
Apache License 2.0
8 stars 5 forks source link

Add OpaS3SecurityFacade #149

Closed pranavr12 closed 1 month ago

pranavr12 commented 2 months ago

Related to https://github.com/trinodb/aws-proxy/issues/148

mosiac1 commented 1 month ago

re @Randgalt

I think the OpaClient approach somewhat defeats the point of having direct support for OPA. If you bind both OpaClient and OpaS3SecurityMapper (which is required) with custom implementations all the core proxy does is:

mapper.toSecurityResponse(opaClient.requestSecurityResponse(mapper.toOparequest(...)))

In this case I think its better off to just implement a custom S3SecurityFacadeProvider and not use any of the provided OPA utility.

This approach doesn't quite provide the short-circuit functionality. The mapper would have to return some special OpaRequest that the OpaClient would recognise as a short-circuit and not fire a request for. This seems quite convoluted and I personally prefer returning a SecurityResponse from the mapper