|
|
|
Here we describe the MVP for the new design of policy service that encapsulates the data retrieval needed to validate a data authorization for any DDMS.
|
|
|
|
|
|
|
|
This will allow for better extensibility over time as we decouple the calling services from the data needed to perform evaluation by policies. This is important as new policies are likely needed over time for new data sources which would impact all consuming services.
|
|
|
|
|
|
|
|
The aim is to check the performance and scalability of the data authz workflow of this new design.
|
|
|
|
|
|
|
|
![Untitled Diagram (14).drawio (3).png](/.attachments/Untitled%20Diagram%20(14).drawio%20(3)-b35c7ffe-a48a-43d4-bc28-f5722d8bbb33.png)
|
|
|
|
|
|
|
|
The sections in bold show the parts we will enable first. The other components are shown as an overview of what a complete solution would look like.
|
|
|
|
|
|
|
|
We will make use of the 'Evaluation Pull' mechanism where the policy retrieves and caches the data it needs to perform evaluations. The data needed to evaluate against is highly dynamic and potentially very large and so cant be all stored in the policy agent at the same time making this the best design choice to evaluate.
|
|
|
|
|
|
|
|
### Example usage
|
|
|
|
Below we show example API requests for CREATE and UPDATE operations into OPA. This will be the workflows we test in the first which equates to the 'PUT /record' operation in storage service.
|
|
|
|
|
|
|
|
READ operations would require more work to integrate as an 'Evaluation Pull' and so we will leave this until after the initial validation.
|
|
|
|
|
|
|
|
|
|
|
|
**Create/Update**
|
|
|
|
|
|
|
|
Request example
|
|
|
|
```
|
|
|
|
curl --location --request POST 'http://localhost:8181/v1/data/dataauthz/records' \
|
|
|
|
--header 'Content-Type: application/json' \
|
|
|
|
--data-raw '{
|
|
|
|
"input": {
|
|
|
|
"operation": "update",
|
|
|
|
"token": "<API token from OSDU>",
|
|
|
|
"xuserid": "x-user-id header from OSDU",
|
|
|
|
"datapartitionid":"opendes",
|
|
|
|
"records": [
|
|
|
|
{
|
|
|
|
"id": "123",
|
|
|
|
"legal": { "legaltags": ["opendes-default-legal"] },
|
|
|
|
"acls": { "owners": ["service.legal.user@opendes.enterprisedata.cloud.slb-ds.com"] }
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"id": "456",
|
|
|
|
"legal": { "legaltags": ["opendes-non-legal"] },
|
|
|
|
"acls": { "owners": ["service.non.viewer@opendes.enterprisedata.cloud.slb-ds.com"] }
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
}'
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
Response example
|
|
|
|
```
|
|
|
|
{
|
|
|
|
"result": [
|
|
|
|
{
|
|
|
|
"errors": [],
|
|
|
|
"id": "123"
|
|
|
|
},
|
|
|
|
{
|
|
|
|
"errors": [
|
|
|
|
"Invalid legal tag(s) found on record",
|
|
|
|
"You must be an owner to update a record"
|
|
|
|
],
|
|
|
|
"id": "456"
|
|
|
|
}
|
|
|
|
]
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
### Goals
|
|
|
|
|
|
|
|
- To test the performance and scalability of the data authz flow compared to current approach in Storage on data retrieval and data creation in the **Create/Update.** flow
|
|
|
|
- To validate the API contract of the policies with other services on the system e.g. SDMS
|
|
|
|
|
|
|
|
### Out of scope
|
|
|
|
A way to identify the calling service is not supported in OSDU today but is needed for certain policies e.g. to restrict which service can manage which kinds so for example WDMS is the only service that can delete OSDU wellbore kinds maintaining the integrity between records and bulk data.
|
|
|
|
|
|
|
|
How to identify requesting services is an OSDU decision. If it comes as a header similar to x-app-id it can be injected later without changing any services usage of policy. This could be a nice extension pattern for other properties in the future as well as it negates any impact on how services use policy.
|
|
|
|
|
|
|
|
The 'Read' and 'Delete' AuthZ flow will come after the initial test on the create/update flow if it is successful as it requires being able to retrieve the storage records directly using just an ID and without the current AuthZ flow which will need more development effort
|
|
|
|
|
|
|
|
### Reference
|
|
|
|
|
|
|
|
- https://www.openpolicyagent.org/docs/latest/external-data/#summary
|
|
|
|
- https://www.openpolicyagent.org/docs/latest/policy-reference/#http
|
|
|
|
|
|
## Table of contents <a name="TOC"></a>
|
|
## Table of contents <a name="TOC"></a>
|
|
|
|
|
|
- [User documentation](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/wikis/Policy-service)
|
|
- [User documentation](https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/wikis/Policy-service)
|
... | | ... | |