×
Community Blog ASM Capabilities 3 - Use Open Policy Agent(OPA) in ASM

ASM Capabilities 3 - Use Open Policy Agent(OPA) in ASM

This article describes how to use Open Policy Agent (OPA) to define fine-grained access control in Alibaba Cloud Service Mesh (ASM) using sample code.

By Wang Xining

This is the third edition in the ASM Extended Capabilities series, a collection of articles that describes some extended capabilities of Alibaba Cloud Service Mesh (ASM).

Prerequisites

Open Policy Agent (OPA)

OPA, a CNCF-managed incubation project, is a policy engine that implements fine-grained access control for applications. For example, you can use OPA for cross-microservice authorization.

As shown in the following figure, as a common policy engine, you may deploy OPA as an independent service with microservices. To protect applications, each request to microservices must be authorized before being processed. To check whether a request is authorized, microservices call OPA APIs.

1

Enable OPA in ASM

ASM integrates OPA to implement fine-grained access control for the applications. For example, you can use OPA for cross-microservice authorization. After OPA is enabled, just like the Istio Envoy proxy container, the OPA container will also be injected to the business pod. Then, OPA helps to define access control policies in ASM to provide the out-of-the-box capability for distributed application developers and help them quickly define use policies and improve the development efficiency.

2

As shown in the figure, it allows determining whether to enable the OPA plug-in while creating an ASM instance.

Feature Settings

If you did not select Enable OPA Plug-in while creating an ASM instance, use the following method to enable the OPA plug-in.

  • Log on to the ASM console and click ASM Instance in the left-side navigation pane. On the Details page of the ASM instance, click Feature Settings in the upper-right corner.

3

  • In the window that appears, select Enable OPA Plug-in.

Note: Before deploying the business pod, ensure configuring the OPA configuration file and policy configuration item Configmap. The following sections describe how to deploy the OPA configuration and policy.

Deploy OPA Configuration

Deploy the OPA configuration file using kubectl to connect to the ACK cluster added to the ASM instance and run the following command:

kubectl apply -n {Actual namespace} -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: opa-istio-config
data:
  config.yaml: |
    plugins:
      envoy_ext_authz_grpc:
        addr: :9191
        path: istio/authz/allow
EOF       

Deploy the OPA Policy

ASM currently supports OPA policies defined by Rego. In the future, it will additionally support WebAssembly-based OPA extended capabilities.

Use kubectl to connect to the ACK cluster added to the ASM instance, replace the policy definition with the actual policy definition, and run the following command:

kubectl apply -n {Actual namespace} -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: opa-policy
data:
policy.rego: | ### The following is a sample policy definition, which must be replaced by the actual one.
    package istio.authz
    import input.attributes.request.http as http_request
    default allow = false
    allow {
        roles_for_user[r]
        required_roles[r]
    }
    roles_for_user[r] {
        r := user_roles[user_name][_]
    }
    required_roles[r] {
        perm := role_perms[r][_]
        perm.method = http_request.method
        perm.path = http_request.path
    }
    user_name = parsed {
        [_, encoded] := split(http_request.headers.authorization, " ")
        [parsed, _] := split(base64url.decode(encoded), ":")
    }
    user_roles = {
        "guest1": ["guest"],
        "admin1": ["admin"]
    }
    role_perms = {
        "guest": [
            {"method": "GET",  "path": "/productpage"},
        ],
        "admin": [
            {"method": "GET",  "path": "/productpage"},
            {"method": "GET",  "path": "/api/v1/products"},
        ],
    }
EOF        

Inject the OPA Container

Deploy the sample application to the ASM instance by referring to Deploy Applications to an ASM Instance and define the corresponding Istio virtual services and ingress gateway. For more information, see Manage Istio Resource Definitions.

  • Log on to the Container Service console. In the left-side navigation pane, choose Applications > Pod.
  • On the page that appears on the right, select the target cluster and namespace, for example, default. Currently, Bookinfo application pods are running, and each pod is injected with the sidecar proxy (istio-proxy) and OPA (opa-istio), as shown in the following figure.

4

Results

The preceding policy restricts access to the Bookinfo application and is defined as follows:

  • guest1 is assigned the guest role and can access /productpage but not /v1/api/products.
  • admin1 is assigned the admin role and can access /productpage and /v1/api/products.
curl -i --user guest1:password http:// {IP address of the ingress gateway service}/productpage
HTTP/1.1 200 OK
......
curl -i --user guest1: password http://{IP address of the ingress gateway service}/api/v1/products
HTTP/1.1 403 Forbidden
......
curl -i --user admin1:password http://{IP address of the ingress gateway service}/productpage
HTTP/1.1 200 OK
......
curl -i --user admin1: password http://{IP address of the ingress gateway service}/api/v1/products
HTTP/1.1 200 OK
......
0 0 0
Share on

Xi Ning Wang(王夕宁)

27 posts | 6 followers

You may also like

Comments

Xi Ning Wang(王夕宁)

27 posts | 6 followers

Related Products