Skip to content

Indexer fetch records requests should not be checked via OPA/Policy (Or any other service, that sends internal requests)

Problem:

Currently, the Storage service will evaluate policies for service requests of the Indexer service, which doesn't make sense since the indexer should be able to fetch any record ingested to the platform.

Indexer fetch requests use common requests authentication flow when OPA integration is enabled: https://community.opengroup.org/osdu/platform/system/storage/-/blob/master/storage-core/src/main/java/org/opengroup/osdu/storage/opa/service/OPAServiceImpl.java#L104

http://localhost:8181/v1/data/osdu/partition/osdu/dataauthz/records
{
    "input": {
        "operation": "view",
        "token": "indexer-service-token",
        "datapartitionid": "osdu",
        "records": [{
                "id": "osdu:master-data--Well:999907686759",
                "kind": "osdu:wks:master-data--Well:1.0.0",
                "legal": {
                    "legaltags": ["osdu-demo-legaltag"],
                    "otherRelevantDataCountries": ["US"],
                    "status": "compliant"
                },
                "acls": {
                    "viewers": ["data.default.viewers@osdu.osdu-gcp.go3-nrg.projects.epam.com"],
                    "owners": ["data.default.owners@osdu.osdu-gcp.go3-nrg.projects.epam.com"]
                }
            }
        ]
    }
}

And it is possible that Indexer will not be authorized to fetch records:

HttpResponse(headers = {
        null = [HTTP / 1.1 200 OK],
        Content - Length = [305],
        Date = [Tue, 29 Nov 2022 10: 58: 31 GMT],
        Content - Type = [application / json]
    }, body = {
        "result": [{
                "errors": [{
                        "code": 401,
                        "id": "osdu:master-data--Well:999907686759",
                        "message": "Legal response 401 {\"code\":401,\"reason\":\"Unauthorized\",\"message\":\"The user is not authorized to perform this action\"}",
                        "reason": "Error from compliance service"
                    }
                ],
                "id": "osdu:master-data--Well:999907686759"
            }
        ]
    }, contentType = application / json, responseCode = 200, exception = null, request = http: //localhost:8181/v1/data/osdu/partition/osdu/dataauthz/records, httpMethod=POST, latency=812)

And will receive an empty response:

{
    "records": [],
    "notFound": [
        "osdu:master-data--Well:999907686759"
    ],
    "conversionStatuses": []
}

Which left records not indexed, and not searchable. Scenarios, when this occurrence happens, look quite easy to achieve, for example when the record uses ACLs that don't belong to the Service token.

Solution:

We need to bypass OPA\Policy authentication for internal service requests.