OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …
18 comments

SPIFFE in a Nutshell

SPIFFE in a Nutshell

I have been studying SPIFEE(Secure Production Identity Framework For Everyone)[1] for for sometime and here I am drafting the flow as I have understand now, for the benefit of anyone else trying to understand the flow. 

  • Identity Registry - SPIRE server has a own identity registry which keeps two coarse-grained attributes that decides how the SPIFFE IDs will be issued to a workload. It keeps details as in the below table.

SPIFFE ID
Node Selector
Process Selector
spiffe://abc.com/bill
aws:ec2:1234
k8s:namespace:1234
spiffe://xyz.com/account
token:7236427472
unix:uid:1002


A separate registration API is provided to manage these entries in the identity registry.

  • Node Selector - This defines a machine (physical or virtual) where a workload can be running on. The exact type of selector to be used is decided based on the infrastructure provider (AWS, GCP, bare metal) that the workload is running. Eg. AWS EC2 Instance ID, a serial number of a physical machine. Node attestor act based on the infrastructure provider to honor there selectors.
  • Workload Selector - This defines how to identify a process as representing a workload, after the node is identified. This can be described in terms of attributes of the process itself (eg. Linux UID) or in terms of indirect attributes such as a kubernetes namespace. Node agent is responsible to verify that a particular process on a machine qualifies for it’s workload selector. Workload attestor act based on the process attributes to honor the process selectors.
  • SPIRE Node Agent - A process that sits on the node, verifies the provenance of workloads running on the node, and provides those workloads with certificates via the Workload API, based on the selectors.



  1. Registration API is called by either an administrator or a third party application to populate the identity registry with the required SPIFFE IDs and relevant selectors.
  2. Node agent get authenticated with the SPIRE server using a pre-established cryptographic key pair or based in the infrastructure provider. For example in the case of AWS EC2, node agent will submit the node’s Instance Identification Document(IID) issued by AWS.
  3. Node attestor in the SPIRE server validates the provided identification document based on the used mechanism. If the AWS IID is used, the relevant attestor will validate it with AWS settings. Upon successful validation SPIRE server sends back a set of SPIFFE IDs that can be issued to the node along with their process selector policies.
  4. When workload start to run in the node, it first make a call to the node agent asking ‘who am I?’. 
  5. Based on the process selectors node agent received in the previous step, and using the workload attestors, agent decides on the SPIFFE ID to be given to workload. It generates a key pair based on that and sends the CSR(Certificate Signing Request) to the SPIRE server.
  6. SPIRE server responds to the node agent with the signed SVID for the workload along with the trust bundles, indicating which other loads can be trusted by this workload.
  7. Upon receiving the response from SPIRE server, node agent, handover the received SVID, trust bundles the generated private key to the workload. This private key never leave the node it’s workload belongs to.

Please feel free to suggest any correction, if you notice.

[1] - https://spiffe.io
[2] - https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#

Comments

  1. Mihail377March 29, 2019 at 12:30 AM

    This comment has been removed by a blog administrator.

    ReplyDelete
  2. Maria FindoMay 25, 2019 at 12:10 PM

    Academic writing is clear, concise, focussed, structured and backed up by evidence. Its purpose is to aid the reader’s understanding. academic writing is all about academic writing.

    ReplyDelete
  3. shivaniJuly 3, 2019 at 5:07 PM

    An overwhelming web journal I visit this blog, it's unfathomably amazing. Unusually, in this present blog's substance made inspiration driving truth and reasonable. The substance of data is enlightening
    Oracle Fusion Financials Online Training
    Oracle Fusion HCM Online Training
    Oracle Fusion SCM Online Training

    ReplyDelete
  4. Elan ProgretJuly 14, 2019 at 7:54 PM

    There are so many types of essays; it can be hard to know where to start. History papers aren’t just limited to history classes. These tasks can be assigned to examine any important historical event or a person. While they’re more common in history classes, you can find this type of assignment in sociology or political science course syllabus, or just get a history essay task for your scholarship.

    What is a political essay? A political is just as the name suggests an essay based on politics or a political situation. Completing a political essay is impossible without the proper research to fully understand your subject. First, you should study the primary texts, to analyze its contents. You may take advantage of using reliable Internet sources, with available government reports and political parties' news. Scan through reputable newspapers and magazines to compile relevant data for your political essay. Find more political essay at essay on Reagan’s Second Term

    ReplyDelete
  5. Anete BrowngJuly 14, 2019 at 8:18 PM

    Basically, the technology essay replicates the structure and the main principles of a standard essay with a few peculiarities of its own.
    We offer you to study the procedure of writing the technology essays on a concrete example. Let's suggest your topic sounds something like "Influence of Modern Technology on Society". The goal of your custom essay is to describe and discuss complicated relations between technology and society. You are to clarify how some particular technology affects people. You are free to illustrate the influence on any sphere of modern life that your technology has affected most.

    First of all, people describe technology as ever-changing. Today new innovations become obsolete fast. People have become increasingly competitive and every year, new ideas and technologies are released to challenge the ones in the market. In a few months, a piece of technology can be released to the market and almost immediately rival companies will as well release theirs. Technological ideas keep getting unleashed as the world becomes more involved in exploring and utilizing the resources nature provides. Nothing seems to survive this fast paced world and unless one maintains the pace and moves with the wave, they get left behind..Read more about technology at ethics and technology

    ReplyDelete
  6. Uylis MecihokAugust 30, 2019 at 4:46 PM

    The subject of Philosophy and its subcategories have been widely discussed in both the Western and non-Western world albeit with different focuses. Philosophy includes many different subfields involving investigation into our existence. These subfields include epistemology, ethics, logic, metaphysics, philosophy of science, social and political philosophy, and Metaphilosophy. Epistemology focuses on the study of Knowledge, also known as “Theory of Knowledge”. Ethics involves the study of moral values and rules, Logic; the study of reasoning. Metaphysics is the study of being and knowing also known as the principles of reality. Read more at Essay on Utilitarianism
    One of the first points to be clear about is that a philosophical essay is quite different from an essay in most other subjects. That is because it is neither a research paper nor an exercise in literary self-expression. It is not a report of what various scholars have had to say on a particular topic. It does not present the latest findings of tests or experiments. And it does not present your personal feelings or impressions. Instead, it is a reasoned defense of a thesis.

    ReplyDelete
  7. Joson FrosterAugust 30, 2019 at 7:58 PM

    If you feel that you need help when it comes to writing sociology papers then we could help you. Here at Erik Erikson psychosocial theory we have some of the best professional writers that are ready and waiting to make your academic writing very much easier. In fact, we can take all the stress and hard work out of writing, so that you are free to get on with whatever else you choose to do

    You may decide to try and buy a sociology research paper online somewhere but you need to be aware of some things. Those sites will offer sociology papers for sale but they have been sold to hundreds of other people. You have no idea where those papers came from and who wrote them. You do not know the academic level of the writer and chances are you will have to spend time tweeking the paper to your professor’s specifications. For that kind of hassle you might as well just write the paper yourself.

    ReplyDelete
  8. MyAssignmentHelpSeptember 25, 2019 at 5:06 PM

    Thank you for sharing this informative post.MyAssignmenthelp.co.uk is giving dissertamarketing dissertation Help to students.we are already trusted by thousands of students who struggle to write their academic papers and also by those students who simply want
    mba dissertation writing     to save their time and make life easy.

    ReplyDelete

Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

Image
Digital signing is a widely used mechanism to make digital contents authentic. By producing a digital signature for some content, we can let another party capable of validating that content. It can provide a guarantee that, is not altered after we signed it, with this validation. With this sample I am to share how to generate the a signature for SOAP envelope. But of course this is valid for any other content signing as well.
Here, I will sign
The SOAP envelope itselfAn attachment Place the signature inside SOAP header  With the placement of signature inside the SOAP header which is also signed by the signature, this becomes a demonstration of enveloped signature.

I am using Apache Santuario library for signing. Following is the code segment I used. I have shared the complete sample here to to be downloaded.

public static void main(String unused[]) throws Exception {         String keystoreType = "JKS";         String keystoreFile = "src/main/resources/PushpalankaKeysto…
Read more

How to send an HTML email in Java (Using Google SMTP Server)

In most of the business services sometimes there comes requirements to send notifications to users or administrators via email.

For example :
Confirming a user registrationPassword reset via emails Following code segments can be used to send these emails using Google SMTP server. Here I am sharing two ways to do it.  Using javax.mail.jar directlyUsing Apache commons email jar which wraps javax.mail  Using javax.mail
try { Properties props = new Properties(); props.put("mail.smtp.host", "smtp.gmail.com"); props.put("mail.smtp.auth", "true"); props.put("mail.debug", "false"); props.put("mail.smtp.ssl.enable", "true"); Session session = Session.getInstance(props, new EmailAuth()); Message msg = new MimeMessage(session); InternetAddress from = new InternetAddress("sendersEmailAddress", "Sender's n…
Read more

OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …
Read more