OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

SPIFFE in a Nutshell

SPIFFE in a Nutshell

I have been studying SPIFEE(Secure Production Identity Framework For Everyone)[1] for for sometime and here I am drafting the flow as I have understand now, for the benefit of anyone else trying to understand the flow. 

  • Identity Registry - SPIRE server has a own identity registry which keeps two coarse-grained attributes that decides how the SPIFFE IDs will be issued to a workload. It keeps details as in the below table.

SPIFFE ID
Node Selector
Process Selector
spiffe://abc.com/bill
aws:ec2:1234
k8s:namespace:1234
spiffe://xyz.com/account
token:7236427472
unix:uid:1002


A separate registration API is provided to manage these entries in the identity registry.

  • Node Selector - This defines a machine (physical or virtual) where a workload can be running on. The exact type of selector to be used is decided based on the infrastructure provider (AWS, GCP, bare metal) that the workload is running. Eg. AWS EC2 Instance ID, a serial number of a physical machine. Node attestor act based on the infrastructure provider to honor there selectors.
  • Workload Selector - This defines how to identify a process as representing a workload, after the node is identified. This can be described in terms of attributes of the process itself (eg. Linux UID) or in terms of indirect attributes such as a kubernetes namespace. Node agent is responsible to verify that a particular process on a machine qualifies for it’s workload selector. Workload attestor act based on the process attributes to honor the process selectors.
  • SPIRE Node Agent - A process that sits on the node, verifies the provenance of workloads running on the node, and provides those workloads with certificates via the Workload API, based on the selectors.



  1. Registration API is called by either an administrator or a third party application to populate the identity registry with the required SPIFFE IDs and relevant selectors.
  2. Node agent get authenticated with the SPIRE server using a pre-established cryptographic key pair or based in the infrastructure provider. For example in the case of AWS EC2, node agent will submit the node’s Instance Identification Document(IID) issued by AWS.
  3. Node attestor in the SPIRE server validates the provided identification document based on the used mechanism. If the AWS IID is used, the relevant attestor will validate it with AWS settings. Upon successful validation SPIRE server sends back a set of SPIFFE IDs that can be issued to the node along with their process selector policies.
  4. When workload start to run in the node, it first make a call to the node agent asking ‘who am I?’. 
  5. Based on the process selectors node agent received in the previous step, and using the workload attestors, agent decides on the SPIFFE ID to be given to workload. It generates a key pair based on that and sends the CSR(Certificate Signing Request) to the SPIRE server.
  6. SPIRE server responds to the node agent with the signed SVID for the workload along with the trust bundles, indicating which other loads can be trusted by this workload.
  7. Upon receiving the response from SPIRE server, node agent, handover the received SVID, trust bundles the generated private key to the workload. This private key never leave the node it’s workload belongs to.

Please feel free to suggest any correction, if you notice.

[1] - https://spiffe.io
[2] - https://docs.google.com/document/d/1RZnBfj8I5xs8Yi_BPEKBRp0K3UnIJYTDg_31rfTt4j8/edit#

Comments

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. Academic writing is clear, concise, focussed, structured and backed up by evidence. Its purpose is to aid the reader’s understanding. academic writing is all about academic writing.

    ReplyDelete
  3. Assignment Help is one where you can get full organization organizations for the understudies. Our pros even make for Ph.D. understudies additionally. In which different sorts of creating are accessible: piece framing, Dissertation Writing Help, Research Paper Assistance, Analysis, Literature Review, articles, and so on.
    mathematics assignment help
    Assignment Help

    ReplyDelete
    Replies
    1. Airline Reservation System is the best way to make your travel more popular among the travelers. Team India Web design offers the error-free Airline Reservation System and Airline API integration system to the travel agents at the best price.

      Delete
  4. Usually I never comment on blogs but your article is so convincing that I never stop myself to say something about it. You’re doing a great job Man learn AWS Online Training Hyderabad

    ReplyDelete
  5. With assignments piling up during the academic right throughout the year it makes sense to start looking for the answer to that question Who can do my homework for me? as soon as possible. As the saying goes, the best time was yesterday, the second best time is now! So once you’ve decided to take the plunge and go looking for some professional academic help with your homework there are quite a few things you should know before you choose the service you need.

    If you are fed up with so many assignments or you have tried to determine what to write, but you cannot find anything, then you do not need to worry. A student needs to have free time to have fun and relax. The homework online services for sale is an ideal solution for any student who is overwhelmed or cannot find time for his or her assignments. Expert writers Do my homework for me write assignments excellently in order to help students to succeed in their careers. The service is offered at an affordable price and it is available whenever you need it.

    ReplyDelete
  6. You started looking for a real college literature lesson homework help online because of some extraordinary sophisticated assignment that is due soon and you have no clue about a way to approach to its completion.
    Let’s first be clear on one thing: you buy at College Homework Help and we give great homework help. College demands it. And you don’t have to be involved if you are uninclined to do so. You can give us the assignment, explain what you will, and leave us to complete the work. However, our methodology is set up so that you can reap enormous benefits from the process itself. From the day you complete the buying process, you will get to choose your professional writer, and e-mail communication begins immediately.

    ReplyDelete
  7. Get Assignment Help Online   is the best helper for submit hectic assignments on time with the best grade. Check out our website for more information about online academic writing services in Australia. we have many experts who serve you for   Assignment Help Experts

    ReplyDelete
  8. A debt of gratitude is in order for sharing this post, this is actually quite a decent enlightening post.
    AssignmentHelpShop is the best programming assignment help and management assignment help website. You can search for your programming problems. You will get the solution definitely. We are helping students for a very long time with the help of the world’s most experienced and expert programmers. We have a Ph.D. team of experts.

    ReplyDelete

Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

OPA for HTTP Authorization

How to send an HTML email in Java (Using Google SMTP Server)