From e68e48293f5a3c660c86ed24b8a0c5a0b7f3d7a9 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Wed, 30 Jun 2021 14:38:16 +0200 Subject: [PATCH 1/3] policies draft 1 --- docs/ocis/adr/0008-policy-enforcement.md | 70 ++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 docs/ocis/adr/0008-policy-enforcement.md diff --git a/docs/ocis/adr/0008-policy-enforcement.md b/docs/ocis/adr/0008-policy-enforcement.md new file mode 100644 index 000000000..b86263214 --- /dev/null +++ b/docs/ocis/adr/0008-policy-enforcement.md @@ -0,0 +1,70 @@ +--- +title: "8. Extensions Policies" +date: 2021-06-30T14:00:00+01:00 +geekdocRepo: https://github.com/owncloud/ocis +geekdocEditPath: edit/master/docs/ocis/adr +geekdocFilePath: 0008-policy-enforcement +--- + +* Status: proposed +* Deciders: @butonic, @micbar, @dragotin, @hodyroff, @pmaier1, @fschade +* Date: 2021-06-30 + +## Context and Problem Statement + +There should be a way to impose certain limitations in areas of the code that require licensing. This document researches an approach to achieve it. + +## Decision Drivers + +- as a team, we want to have the licensing code concentrated in a central module +- we don't want to stop/start the extension whenever a policy is updated (hot reload) + +## Considered Options + +1. Build the evaluation engine in-house. +2. Use third party libraries such as Open Policy Agent (a CNCF aproved project with a Go library) + +## Decision Outcome + +Chosen option: option 2; Use third party libraries such as Open Policy Agent (a CNCF aproved project with a Go library) + +### Positive Consequences + +- OPA is production battle tested. +- built around performance - policies evaluations are no longer than 1ms per request. +- middleware friendly: we use gRPC clients all over our ecosystem; wrappers (or middlewares) is a viable way to solve this problem instead of a dedicated service or its own package. +- community support. +- kubernetes friendly. + +### Negative Consequences + +- more vendor code inside the binary (larger attack surface, larger footprint [to be quantified] ) + +## Chosen option approach + +Make use of [overloading Open Policy Agent's input](https://www.openpolicyagent.org/docs/latest/external-data/#option-2-overload-input) along with an external storage source (instead of an OPA service) in conjunction with go-micro's gRPC client wrappers (a.k.a middlewares) to leverage policy rules evaluation. + +### Terminology + +New terms are defined to refer to new mental models: + +- policy: self-imposed limitation of a piece of software. i.e: "after 20 users limit the use of thumbnails". +- checkers: in the context of a middleware, a checker is in charge of defining logical conditions that prevent requests (users) from doing an action. +- policy file: a [rego file](https://www.openpolicyagent.org/docs/latest/policy-language/). +- policy evaluation: the act of piecing together input (from a request), data (from an external storage) and policies in order to make a decision. + +#### Temporary new Interfaces part of the PoC + +- IStorage: provides means of extracting data from an external source (in case of the POC an etcd storage cluster). + +### Future ideas + +[This proof of concept](https://github.com/owncloud/ocis/tree/poc-enforcement-engine) is very rigid in the sense that the `IStorage` interface only has one implementation that ties it to etcd, meaning running an oCIS cluster without an etcd service will result in a crash. This is by far ideal and less coupled implementations should be done. There is the case of using the storage metadata as a source to store data necessary to the policies, or even using the go-micro store as a kv store to achieve the exact same, since it already runs as its own service. The implementation of this is trivial and left out of the POC since it requires more time than the allotted for this task. + +#### Message Broker + +This problem perfectly encompasses the use of a message broker, where services such as OCS will emit messages to a bus and only listeners react to them. In this case the following applies: + +![message broker](https://i.imgur.com/sa1pANQ.jpg) + +The necessary interfaces are provided to us by go-micro, only implementations are to be done. From db5900b85a7a3ab78d70266f1588ab79b5d8160e Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Wed, 30 Jun 2021 15:16:50 +0200 Subject: [PATCH 2/3] review comments --- docs/ocis/adr/0008-policy-enforcement.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docs/ocis/adr/0008-policy-enforcement.md b/docs/ocis/adr/0008-policy-enforcement.md index b86263214..0f3d51e14 100644 --- a/docs/ocis/adr/0008-policy-enforcement.md +++ b/docs/ocis/adr/0008-policy-enforcement.md @@ -22,11 +22,11 @@ There should be a way to impose certain limitations in areas of the code that re ## Considered Options 1. Build the evaluation engine in-house. -2. Use third party libraries such as Open Policy Agent (a CNCF aproved project with a Go library) +2. Use third party libraries such as Open Policy Agent (a CNCF aproved project written in Go) ## Decision Outcome -Chosen option: option 2; Use third party libraries such as Open Policy Agent (a CNCF aproved project with a Go library) +Chosen option: option 2; Use third party libraries such as Open Policy Agent (a CNCF aproved project written in Go) ### Positive Consequences @@ -35,6 +35,7 @@ Chosen option: option 2; Use third party libraries such as Open Policy Agent (a - middleware friendly: we use gRPC clients all over our ecosystem; wrappers (or middlewares) is a viable way to solve this problem instead of a dedicated service or its own package. - community support. - kubernetes friendly. +- supports envoy, kong, terraform, traefik, php, node and many more. ### Negative Consequences From 48ab84a7f531aeeef8225fc7bcd623bf519b2979 Mon Sep 17 00:00:00 2001 From: "A.Unger" Date: Wed, 30 Jun 2021 16:18:30 +0200 Subject: [PATCH 3/3] use pr link --- docs/ocis/adr/0008-policy-enforcement.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/ocis/adr/0008-policy-enforcement.md b/docs/ocis/adr/0008-policy-enforcement.md index 0f3d51e14..6d14f2b14 100644 --- a/docs/ocis/adr/0008-policy-enforcement.md +++ b/docs/ocis/adr/0008-policy-enforcement.md @@ -60,7 +60,7 @@ New terms are defined to refer to new mental models: ### Future ideas -[This proof of concept](https://github.com/owncloud/ocis/tree/poc-enforcement-engine) is very rigid in the sense that the `IStorage` interface only has one implementation that ties it to etcd, meaning running an oCIS cluster without an etcd service will result in a crash. This is by far ideal and less coupled implementations should be done. There is the case of using the storage metadata as a source to store data necessary to the policies, or even using the go-micro store as a kv store to achieve the exact same, since it already runs as its own service. The implementation of this is trivial and left out of the POC since it requires more time than the allotted for this task. +[This proof of concept](https://github.com/owncloud/ocis/pull/2236) is very rigid in the sense that the `IStorage` interface only has one implementation that ties it to etcd, meaning running an oCIS cluster without an etcd service will result in a crash. This is by far ideal and less coupled implementations should be done. There is the case of using the storage metadata as a source to store data necessary to the policies, or even using the go-micro store as a kv store to achieve the exact same, since it already runs as its own service. The implementation of this is trivial and left out of the POC since it requires more time than the allotted for this task. #### Message Broker