Dynamic policies adoption
- Under review
Context & Scope
It is necessary to introduce dynamic policies to OSDU in order to satisfy E&O requirements. E&O incubator project has been developing Policy service that is used for policy management. This new policy service needs to be integrated with OSDU services such as storage and search. This integration is done in common business logic of those services. For example, storage service calls out to Policy service to make a decision if user call should be allowed or not based on the provided context and existing policies.
Policy service depends on 3rd party open-source component Open Policy Agent (OPA). CSPs will add OPA to their provisioned infrastructure at different rate. Customers will have different adoption times for dynamic policies.
This ADR is proposing adoption of dynamic policies (Policy service integration in OSDU) through data partition flag. Data partitions that have flag to use dynamic policies set to true will use Policy service. Requests to data partitions without the flag (or flag set to false) will use current implementation that does not use Policy service.
Accepting this ADR will ensure that different CSPs can adopt dynamic policies at different rate and with different maturity status (e.g., experimental feature). At the same time, customers having multi-partition OSDU deployment will be able to adopt policies in some data partitions while still using legacy model in others.
In order to support data partitions with dynamic policies, CSP will need to:
- Insure OPA is deployed with their infrastructure
- Insure Policy service is part of their deployment
Until this is done, there will be no runtime impact on specific CSP deployment until dynamic policy enabled flag is set on some of its data partitions.
Tradeoff Analysis - Input to decision
This adoption plan helps manage multiple risks included with adoption of policy service. In addition to above mentioned, it:
- Helps manage knowledge gap and associated potential catastrophic end user errors
- Helps reduce potential performance impact dynamic policies might have
- Gives opportunity to mature before it becomes the only supported solution
The only challenge this adoption plan could have is its dependency on data partitions. Technically, this is not the case though. For CSPs that have adopted Partition service, they can use the service to set the flag. Others have a dependency on TenantInfo table used within the common library and the flag can be set there.