ADR: Make OPA configuration dynamic updatable

Status

• Proposed
• Trialing
• Under review
• Approved
• Retired

Context

OSDU has adopted Rego as the language to define policies and Open Policy Agent as an internal solution to manage and enforce the policies. To enforce a policy, various OSDU services call policy service which internally calls OPA API. Some services (storage) bypass policy service and make low level calls to OPA directly.

Today OPA configuration is strictly managed by CSPs, generally with a kubernetes config map. By having this static and only updatable with backend it breaks the ability to add a partition with partition create API.

As a result, once a new partition is the following services are become impacted:

• Storage
• Search

Any services that depends on the above, including but not limited to:

• Indexer
• seismic-dms-suite seismic-store-service v4

For additional context see the following issues and links:

• #94
• Support Multi Partition Policies in OPA

The workaround:

• Workaround requires backend access and manual updates for updating the OPA configuration. See workaround

Scope

Implement APIs to manage OPA configuration.

Solution

Update the Policy Service /bootstrap API to also create, update and manage the configmap for OPA.

Consequences

• Kubernetes permissions to allow read and update of OPA config map (opa-agent) will be required.
• CSPs will need to not update the config map once created.

Futures

• At a later date partition service could be configured to call policy bootstrap API to remove the burden of having to call an additional API.