Closed pranavr12 closed 1 month ago
re @Randgalt
I think the OpaClient
approach somewhat defeats the point of having direct support for OPA. If you bind both OpaClient
and OpaS3SecurityMapper
(which is required) with custom implementations all the core proxy does is:
mapper.toSecurityResponse(opaClient.requestSecurityResponse(mapper.toOparequest(...)))
In this case I think its better off to just implement a custom S3SecurityFacadeProvider
and not use any of the provided OPA utility.
This approach doesn't quite provide the short-circuit functionality. The mapper would have to return some special OpaRequest
that the OpaClient
would recognise as a short-circuit and not fire a request for. This seems quite convoluted and I personally prefer returning a SecurityResponse
from the mapper
Related to https://github.com/trinodb/aws-proxy/issues/148