Stackable Building-Block Authorization-as-Code

In our series "Hello, Stackable Data Platform" an introduction to the Stackable Data Platform we tacke the authorization component(s) first.

This document describes how to use:

Stackable RegoRule Operator for creation and delivery of authorization rules and
Stackable Operator for OpenPolicyAgent (OPA) a Kubernetes Operator to manage authorization agents.

The idea of putting knowledge into code is mimicked by this duo via "leveraging the OpenPolicyAgent to provide Authorization-as-Code".

With the move towards a Kubernetes-native experience, the data platform is installable like any other K8s application.

We'll use helmfile to get started quickly:

# Stackable RegoRule operator and Stackable operator for OPA

# https://docs.stackable.tech/home/getting_started.html#_installing_stackable_operators

repositories:
  # helm repo add stackable-devel https://repo.stackable.tech/repository/helm-dev/
  - name: stackable-devel
    url: 'https://repo.stackable.tech/repository/helm-dev/'

releases:
  # helm install regorule-operator stackable-devel/regorule-operator --version 0.5.0-mr156
  - name: regorule-operator
    devel: true
    chart: stackable-devel/regorule-operator
    # https://repo.stackable.tech/#browse/search/helm=name.raw%3Dregorule-operator
    version: "0.5.0-mr156"
    installed: true
  # helm install regorule-operator stackable-devel/regorule-operator --version 0.7.0-mr169
  - name: opa-operator
    devel: true
    chart: stackable-devel/opa-operator
    # https://repo.stackable.tech/#browse/search/helm=name.raw%3Dopa-operator
    version: "0.7.0-mr169"
    installed: true

Tip: Please find the helm commands provided as inline documentation, in case you prefer plain helm commands.

(excursion) Open Policy Agent

Open Policy Agent - Policy-based control for cloud native environments

"Flexible, fine-grained control for administrators across the stack"

OPA policies are expressed in a high-level declarative language called Rego (pronounced 'ray-go') which is inspired by Datalog

To get your hand dirty with the OPA policies try the The Rego Playground.

Rego rules

Stackable doesn't spin up an additional pod to serve the rules. Currently, the operator hosts the rules.

Let's deploy our first "Hello, World!" example:

package example

greeting = msg {
    info := opa.runtime()
    hostname := info.env["HOSTNAME"] # Docker sets the HOSTNAME environment variable.
    msg := sprintf("Hello, World! Greetings from container %q!", [hostname])
}

Tip: There are more examples in the GitHub repository.

# Create example Rego rule from stdin
cat <<EOF | kubectl apply -f -
apiVersion: opa.stackable.tech/v1alpha1
kind: RegoRule
metadata:
  name: simple
spec:
  rego: |
    package example

    greeting = msg {
        info := opa.runtime()
        hostname := info.env["HOSTNAME"] # Docker sets the HOSTNAME environment variable.
        msg := sprintf("Hello, World! Greetings from container %q!", [hostname])
    }
EOF

Install OPA itself

Note: Currently, the OPA agents use a hard-wired IP, until "Make service discoverable" #88 is implemented.

export REGORULE_POD_IP=$(kubectl get pods --selector app.kubernetes.io/name=regorule-operator -o json \
  | jq -r '.items[0].status.podIP')

# Create and configure an example OPA from stdin
cat <<EOF | kubectl apply -f -
apiVersion: opa.stackable.tech/v1alpha1
kind: OpenPolicyAgent
metadata:
  name: opa-simple
spec:
  version: "0.27.1"
  servers:
    roleGroups:
      default:
        selector:
          matchLabels:
            kubernetes.io/os: linux
        config:
          regoRuleReference: "http://${REGORULE_POD_IP}/opa/v1"
EOF

Grab the pod name...

export OPA_POD_NAME=$(kubectl get pods \
  --selector app.kubernetes.io/name=opa -o json \
  | jq -r '.items[0].metadata.name')

...jump directly into the OPA console inside the pod...

kubectl exec --stdin --tty ${OPA_POD_NAME} \
  -- /bin/bash -c "./opa run"

> 1*2+3
5

...or check withcurl from within the OPA pod:

kubectl exec --stdin --tty ${OPA_POD_NAME} \
  -- /bin/bash

$ curl localhost:8181/v1/data/example/greeting -H 'Content-Type: application/json'

This should return {"result":"Hello, World! Greetings from container \"opa-simple-server-default-5hhpl\"!"}.

👏 Congratulations! The first building block of your modern data platform is up and running...

The next installment of this series: Apache ZooKeeper the Stackable Way.

Additional resources

🙌 Photo by Nathan Dumlao on Unsplash