Integration with open policy agent #158
Comments
jzelinskie
added
area/tooling
|
Right now we have an experiment with zed, our command-line tool: https://github.com/authzed/zed#open-policy-agent-opa We add builtin functions that let you call the SpiceDB API from rego. Would that work for your use case? We've had some private discussions about what it would look like to embed a policy agent server-side and we'd be open to discussing that publicly now, too, if people are interested. |
|
Ah yeah that does look very interesting, thanks. Is there any plan to extract the OPA functions provided by zed into an OPA extension so they can be available on existing OPA installations? |
|
Unless I'm misinterpreting what I've read here, there doesn't appear to be a way to distribute something to using OPA users that doesn't require creating a new build of OPA itself. I am not an OPA expert by any means, so if anyone knows how to better facilitate OPA users, I'd love to learn more. |
|
Hello from the OPA side 👋
That's true. From what I can tell, you are providing a gRPC API. If you had some sort of plain HTTP endpoint, you could help your users out with a rego policy snippet wrapping Bottom line is that it's tricky to do plugins in golang well. Another idea we've been toying with is adding plugin functionality via Wasm (open-policy-agent/opa#3631), but that also hasn't happened yet. Also, socket stuff (i.e. implementing gRPC) is tricky still for WASI and friends. ☝️ Which of those approaches seems most promising for your use case? |
|
As of v1.1.0, SpiceDB actually supports an REST/JSON API that's powered by grpc-gateway internally. Writing a wrapper policy is a pretty reasonable step forward. Performance will suffer from re-establishing connections for each API call, though. When I first wrote the zed experiment, I had mentioned in the OPA Slack that another idea is to do something similar to git, where you exec out to binaries on the $PATH with a specific prefix and pass the flags/args. We used to do something similar in zed before we open sourced SpiceDB. Go plugins these days are more portable than they used to be, but are still not quite entirely cross platform. |
|
@srenatus has OPA considered adding plugins that could be useful to the community (such as the SpiceDB one) to the main build? |
Here's the list of built-in functions currently supported: https://www.openpolicyagent.org/docs/edge/policy-reference/#built-in-functions -- there isn't a single vendor-specific API wrapper among them, and I'd think that's for the better. (💭 There is an API following a standard, let's make sure OPA has the means to talk to it.) Anyhow, about that 👇
(Yay, I like grpc-gateway 😄) Enhancements to the existing built-ins for improving that (see open-policy-agent/opa#2418) would be very welcome! If I'm not mistaken, the connection re-use features of gRPC come from HTTP/2, which is something that |
|
Hi folks, I just stumbled upon this issue and wanted to give this a spin. I'm not to deep into OPA yet, but I managed to create an initial version of an authzed plugin that enables users to query relations from within OPA via rego: |
|
As an note, SpiceDB now supports caveats (https://authzed.com/blog/caveats/) for ABAC-like computation to compliment policies |
|
Inspired by thomasd, I've created an extension to OPA that supports all calls to the permission service of SpiceDB, including check, lookup-subjects/resources, read, write and delete operations. however, the plugin enables OPA to fully integrate SpiceDB find the project there: https://github.com/umbrellaassociates/opa-spicedb |
I see in the docs that there can theoretically be an integration between this and OPA. I'm having trouble understanding what a real world integration between the two of them would look like. Are there any resources explaining that?
I'm really interested in potentially using spicedb in my current project, just trying to clear up my mental model.
(if this is the wrong place to ask questions, I apologize, let me know and I'll move it to the right place)
The text was updated successfully, but these errors were encountered: