Install
Prerequisites for testing or running Policy Service:
OPA
The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software.
- For recommended versions please see OPA Versions
- For recommended sizing please see OPA Sizing
- OPA must be configured to poll for new policies in [example init.yaml)(https://community.opengroup.org/osdu/platform/security-and-compliance/policy/-/blob/master/app/tests/gc_init.yaml).
- For testing purposes a low polling is probably best.
- OPA must also be bootstrapped with an initial bundle for instance and data partition. example
- Be sure environment variable
OPA_URLpoints to the OPA service endpoint. It defaults tohttp://localhost:8181for testing purposes.
Some of the options for starting OPA include:
* opa run --server
* make opa to run OPA in docker container
* make debugopa start OPA in debug mode running in docker container
* or run in Kubernetes, etc.
- OPA container needs the following environment variables are required to make evaluations work:
* LEGAL_BASE_URL
* ENTITLEMENTS_BASE_URL
Entitlement Service
Entitlement service is assumed to be not available for unit tests, however it is required to support integration tests. With headers authorizations (Bearer Token) and data_partition_id, this service is used to determine which groups the request is associated with.
The user must be a part of conf.USER_PERMISION (service.policy.user by default) or conf.ADMIN_PERMISION (service.policy.admin by default) for that particular OSDU data partition or testing will fail. Entitlement can also be bypassed for testing purposes by enabling conf.MOCK_ENTITLEMENT
Legal Service
Legal service is needed to run some integration tests (directly to get legal tags and indirectly when expecting OPA to talk to legal service). However legal is not directly used by the policy-service. However policies should make OPA call the legal service.
CLOUD_PROVIDER
-
used for all Cloud Service Providers. Used to initialize storage client for given CSP. This storage client will be used to manipulate the bundle file content. If not set a value of "MOCK" will be assumed, this will mock using a CSP for unit testing. MOCK is never to be used in production.
-
A value of LOCAL will bypass using CSP and attempt to update OPA directly va
OPA_URL. This is great for local development, testing, tiny environments (that don't have multiple OPA Pods), on-premise or for unsupported cloud environments.
Currently supported values of CLOUD_PROVIDER:
- baremetal
- aws
- azure
- gcp
- gc
- ibm
- LOCAL
- MOCK or undefined
Related Settings/Environmental variables:
POLICY_BUCKET- used by AWS, Google Cloud and IBM to determine which bucket is used for providing bundle files. Service identity running policy service needs to have write permission to contents in this bucket. Note us-east-1 is only region supported at this time for AWS.CONTAINER_NAME- used by Azure to determine which container is used for providing bundle files. Service principal running policy service needs to have write permission to contents in this bucket.STORAGE_ACCOUNT- used by Azure to determine which account is used for providing bundle files. Service principal running policy service needs to have write permission to contents in this bucket.ENDPOINT_URL,AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY- used by IBM (yes IBM). Please note only regionus-east-1is currently supported.MINIO_ENDPOINT,MINIO_SECRET_KEY,MINIO_ACCESS_KEY- used by Baremetal (Reference Architecture).DISABLE_OPA_CACHE- if set OPA caching will be disabled.ENABLE_TRANSLATE_PREPROCESSOR- by default True. If set to false it will revert search translate function to basically pre-M18 translate code. This would require all policies to be in a simple form (for example no deny). Included here for backwards compatibility testing only. It should never be disabled in qualification, preship testing, or production environments.ENABLE_VERIFY_POLICY- by default True. If true policy will attempt to temp save the policy directly to OPA to verify the policy is valid rego. This is an experimental feature.ALLOW_FORCE_BOOTSTRAP- by default True. If set to false it will not allow you to revert bundle to default (if bundle exists). If true, the API will allow update to reset bundle to a known good state (useful for testing or when corrupt/bad rego policy files have been included in the bundle).ALLOW_CONFIG_API- by default True. If false it will disable the /config API completely (not recommended)MASK_OPA_CONFIG_DETAILS- by default False. If True /config API will not show OPA config details (not recommended)OPS_PERMISSION- group to use for OPS related APIs, for example PUT /tenant, DELETE /tenant and POST /bootstrap
Limit Number of Groups for Performance Reasons:
The number of groups should be configured to what is necessary. Performance will degrade when there are many groups. This is especially true for translation API which is used by search. Ideally less than 25 groups should be used. However more groups will work, but you may have performance problems as this number of groups grows. At some point the number of groups will break the request payload size however and policy service will return a 413 or 400 error for translate API requests. This configuration error may break search. This can be seen when the number of groups is 1000+.
Useful software but not required:
- Make - GNU make utility
- ttab - programmatically open a new terminal tab
- envsubst - GNU gettext utilities
Logging
See logging
Ports
- Port - the default for the policy service is 8080. In Kubernetes you can still expose this to port 80.
livenessProbe and Ready
The /health API should be used for liveness probe. There is also a /ready API call that checks that OPA is healthy.
livenessProbe:
failureThreshold: 5
httpGet:
path: /api/policy/v1/health
port: http
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2