ceph/doc/radosgw/opa.rst

   1 ==============================
   2 Open Policy Agent Integration
   3 ==============================
   4
   5 Open Policy Agent (OPA) is a lightweight general-purpose policy engine
   6 that can be co-located with a service. OPA can be integrated as a
   7 sidecar, host-level daemon, or library.
   8
   9 Services can offload policy decisions to OPA by executing queries. Hence,
  10 policy enforcement can be decoupled from policy decisions.
  11
  12 Configure OPA
  13 =============
  14
  15 To configure OPA, load custom policies into OPA that control the resources users
  16 are allowed to access. Relevant data or context can also be loaded into OPA to make decisions.
  17
  18 Policies and data can be loaded into OPA in the following ways::
  19   * OPA's RESTful APIs
  20   * OPA's *bundle* feature that downloads policies and data from remote HTTP servers
  21   * Filesystem
  22
  23 Configure the Ceph Object Gateway
  24 =================================
  25
  26 The following configuration options are available for OPA integration::
  27
  28      rgw use opa authz = {use opa server to authorize client requests}
  29      rgw opa url = {opa server url:opa server port}
  30      rgw opa token = {opa bearer token}
  31      rgw opa verify ssl = {verify opa server ssl certificate}
  32
  33 How does the RGW-OPA integration work
  34 =====================================
  35
  36 After a user is authenticated, OPA can be used to check if the user is authorized
  37 to perform the given action on the resource. OPA responds with an allow or deny
  38 decision which is sent back to the RGW which enforces the decision.
  39
  40 Example request::
  41
  42    POST /v1/data/ceph/authz HTTP/1.1
  43    Host: opa.example.com:8181
  44    Content-Type: application/json
  45
  46    {
  47        "input": {
  48            "method": "GET",
  49            "user_info": {
  50                "used_id": "john",
  51                "display_name": "John"
  52            },
  53            "bucket_info": {
  54                "bucket": {
  55                    "name": "Testbucket",
  56                    "bucket_id": "testbucket"
  57                },
  58                "owner": "john"
  59            }
  60        }
  61    }
  62
  63 Response::
  64
  65    {"result": true}
  66
  67 The above is a sample request sent to OPA which contains information about the
  68 user, resource and the action to be performed on the resource. Based on the polices
  69 and data loaded into OPA, it will verify whether the request should be allowed or denied.
  70 In the sample request, RGW makes a POST request to the endpoint */v1/data/ceph/authz*,
  71 where *ceph* is the package name and *authz* is the rule name.