Skip to content

Deploy wrapper RegoRules for the UserInfoFetcher #558

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
fhennig opened this issue Apr 30, 2024 · 6 comments · Fixed by #580
Closed

Deploy wrapper RegoRules for the UserInfoFetcher #558

fhennig opened this issue Apr 30, 2024 · 6 comments · Fixed by #580
Assignees
@nightkr
Labels
release/24.11.0 release-note Denotes a PR that will be considered when it comes time to generate release notes.

Comments

@fhennig
Copy link
Contributor

fhennig commented Apr 30, 2024
edited by lfrancke
Loading

As a user of the UIF I would like to simply use RegoRules to use the UIF, instead of having to do the HTTP calls myself.

  • How do we deploy these rules?

The rules and how to use them need to be documented and a decision needs to be created.
@fhennig fhennig mentioned this issue Apr 30, 2024
Merged
@fhennig
Copy link
Contributor Author

fhennig commented Apr 30, 2024

My suggestion on how to do this:

Have a ready-to-go (or slightly templated) .rego file that the operator has, and if the userInfo bit is configured, the .rego file gets added to all the bundles. Maybe we can do this, by having the operator deploy a ConfigMap that the bundle=true annotation and the rules inside of the ConfigMap?

@maltesander
Copy link
Member

maltesander commented Apr 30, 2024
edited
Loading

In the trino tests we have the UIF call here https://github.com/stackabletech/trino-operator/blob/0a1545ff371190b8d237f994bba4266fc962f774/tests/templates/kuttl/opa-authorization/trino_policies.rego#L291 and wrap it into extra_groups in the the permissions here https://github.com/stackabletech/trino-operator/blob/0a1545ff371190b8d237f994bba4266fc962f774/tests/templates/kuttl/opa-authorization/trino_rules/actual_permissions.rego#L43.

We could extract that into its own rego (util) file and be imported by other policies?

@NickLarsenNZ
Copy link
Member

NickLarsenNZ commented May 3, 2024
edited
Loading

I would suggest it being a specific rego file, rather than a generic util file, because:

  • util as a name of a modules is not a very helpful description to the end user (it can be useful when any other suitable name doesn't exist, or there are then too many things).
  • It would likely be a breaking change if we do end up with more utilities and want to break them out.

Some suggestions on what the end-user rego imports could look like:

import utils.uif
import utils.authorization
import stackable.uif
import stackable.authorization

Edit: #580 goes with package stackable.opa.userinfo.v1 which resolves this comment nicely.

@sbernauer sbernauer mentioned this issue May 29, 2024
Closed
@nightkr nightkr mentioned this issue May 29, 2024
Merged
@nightkr nightkr linked a pull request May 29, 2024 that will close this issue
Deploy userinfofetcher regorules #580
Merged
@NickLarsenNZ NickLarsenNZ moved this to Development: In Progress in Stackable Engineering May 29, 2024
@lfrancke
Copy link
Member

Blocked on #577

@lfrancke lfrancke moved this from Development: In Progress to Development: Waiting for Review in Stackable Engineering Jul 31, 2024
@NickLarsenNZ NickLarsenNZ moved this from Development: Waiting for Review to Development: In Review in Stackable Engineering Aug 1, 2024
@sbernauer sbernauer moved this from Development: In Review to Development: Done in Stackable Engineering Aug 7, 2024
@lfrancke
Copy link
Member

lfrancke commented Sep 4, 2024

Is this a user visible thing?
Do we have docs and should it go into the release notes?

@nightkr
Copy link
Member

nightkr commented Sep 11, 2024

User visibility: Yes, if you used the old HTTP API...

Docs: Yes, the docs are updated at https://docs.stackable.tech/home/nightly/opa/usage-guide/user-info-fetcher#_user_info_fetcher_api

Release notes: Maybe? Something along the lines of "The User Info Fetcher HTTP API has been replaced with a Rego library, please see https://docs.stackable.tech/home/nightly/opa/usage-guide/user-info-fetcher#_user_info_fetcher_api for more information"

@lfrancke lfrancke added the release-note Denotes a PR that will be considered when it comes time to generate release notes. label Sep 12, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nightkr nightkr

Labels
release/24.11.0 release-note Denotes a PR that will be considered when it comes time to generate release notes.
Projects
Stackable Engineering
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Deploy userinfofetcher regorules stackabletech/opa-operator
6 participants
@lfrancke @nightkr @fhennig @NickLarsenNZ @maltesander @sbernauer