OSDU Policy Service

Introduction

Policy service is an OSDU service used to manage (view, create, update, delete) and evaluate dynamic policies. Dynamic policies are written using Rego language. Rego queries are assertions on data. It is a declarative language so it is convenient for writing policies.

OSDU data platform has two additional service that are used together with policy service to perform data authorization: - Entitlements service which provides information about user group membership, - Legal (aka compliance) service that provides additional attributes that can be used to conform to legal and organizational regulations.

OSDU data platform user that has required permissions (e.g., OSDU admin) can use information about: - Data or more specifically record metadata that contains id, kind, acl, legal, and tags; - Entitlements groups which correspond to flattened list of all groups user is a member of and can be used in record acl; - Legal tags which are referenced from record legal block; to write complex expressions defining who can discover and access what data.

Last updated on 2023-10-06

---

Supported OSDU Services

The following services can be configured (some by default in M14) to use Policy Service:

• Search this requires the search.rego policy in your data partition to work.

• Storage this may require the storage.rego policy in your data partition to work.

• seismic-dms-suite seismic-store-service v4. This uses storage and requires Policy to be enabled for storage.

Related Services and Tools

• AdminCLI

• Policy Service UI Wrapper POC for AdminCLI

---

Project layout

docs/
    docs/
        index.md     # The documentation homepage.
        ...          # Other markdown pages, images and other files.
frontend/adminui/    # Policy Service AdminUI POC
    main.py          # Policy Service "main"
    api/             # APIs code
    assets/          # Landing area for AdminUI POC
    auth/            # Authentication Entitlement code
    translate/       # Translate code
    bundles/         # Bundles code for read/writing bundles to bundles CSP service
    models/          # Models for handling APIs
    tests/           # Automated Unit and Integration tests
        data/        # Inputs for tests
        integration/ # Integration tests
        templates/   # Templates and inputs for automated and manual tests
        unit/        # Unit tests
    views/           # "Home Page" for Policy Service
ui/
    ui.py        # Policy Mgmt Desktop Client

---

More Information

OpenAPI Documentation: https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/blob/master/docs/openapi.yaml Please note gitlab is unable to render this newer OpenAPI 3.1.0 document. You'll need to use a swagger editor. You can also use the older M18 openapi document which will render.

API Authentication

All APIs except /health require authentication from Policy Service implementation. /health was left out so it can be used in readiness checks. However many CSP may require auth for external connections.

Documentation: https://osdu.pages.opengroup.org/platform/security-and-compliance/policy/

Source Code: https://community.opengroup.org/osdu/platform/security-and-compliance/policy

Wiki (outdated): https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/wikis/home