Versions Compared

Old Version 11

changes.mady.by.user Former user

Saved on

compared with

New Version 12

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Use OPA and Envoy as sidecars in backend microservices for authorization

  • A program which can convert the json schema definitions to OPA rego code

  • Sample schema definition (Work in progress, but the design is more or less as it looks below, some parts of the json keys can change to make more meaningful naming convention)

Schema in YAML
Code Block
languagejsonyaml
{
    "apis": [
      {
        "name": "createContent",
        "uris"---
- name: createContent
  uris: "/content/v1/create",
  
     "upstream_url": "http://knowledge-mw:5000/v1/content/create",
  role_check:
     "checks"config.allowed_roles:
[    - CONTENT_CREATOR
    - {COURSE_CREATOR
  org_check:
    config.look_in:
    "checkType": "roleCheck",- body
    - header
    config.operator: and
"key": "token",   config.body: request.content.createdFor[*]
    config.header: X-Org-Id
  "token"owner_check:
"CONTENT_CREATOR, COURSE_CREATOR"   config.look_in:
    - header
 },   config.header: X-User-Id
Schema in JSON
Code Block
languagejson
[
  {
   { "name": "createContent",
    "uris": "/content/v1/create",
    "checkTypeupstream_url": "orgCheckhttp://knowledge-mw:5000/v1/content/create",
    "role_check": {
      "keyconfig.allowed_roles": "body", [
        "CONTENT_CREATOR",
        "bodyCOURSE_CREATOR":
"request.content.createdFor[*]"      ]
    },
    "org_check": {
    {    "config.look_in": [
        "checkTypebody": "ownerCheck",
        "header"
   "key": "header || body"],
      "config.operator": "and",
      "config.body": "request.userId.content.createdFor[*]",
     
      "config.header": "X-UserOrg-Id"
    },
    "owner_check": {
  }
     "config.look_in": [
        "header"
      ],
      }"config.header": "X-User-Id"
    ]}
  }
]

  • Schema can use || , && or single keys. The || and && signify OR and AND the config.operator or can omit. The config.operator takes and or values which signify AND and ORoperation. If AND is used, then both keys are checked against the token and both need to match, if OR is used, then one of the key should match in the token

  • For a given check, the schema will not allow both AND OR operation to be used (example a && b || c). These type of checks will be treated as custom checks and will be directly implemented in rego. But these will work aa || bb || cc aa && bb && cc

  • Sample token structure

Code Block
languagejson
{
  "iss": "mykey",
  "aud": "project-sunbird-stage-client",
  "sub": "7e726898-0635-44cf-81ff-3b3a889c8dba",
  "typ": "Bearer",
  "exp": 1622744532,
  "iat": 1622658132,
  "roles": [
    {
      "scope": [
        {
          "orgId": "01269878797503692810"
        }
      ],
      "role": "COURSE_CREATOR"
    },
    {
      "scope": [
        {
          "orgId": "ORG_001"
        },
        {
          "orgId": "ORG_002"
        }
      ],
      "role": "BOOK_CREATOR"
    }
  ]
}

...