spicedb icon indicating copy to clipboard operation
spicedb copied to clipboard

Published 20 hours ago verified publisher icon authzed

Integration with open policy agent

Open DAlperin opened this issue 2 years ago • 9 comments

I see in the docs that there can theoretically be an integration between this and OPA. I'm having trouble understanding what a real world integration between the two of them would look like. Are there any resources explaining that?

I'm really interested in potentially using spicedb in my current project, just trying to clear up my mental model.

(if this is the wrong place to ask questions, I apologize, let me know and I'll move it to the right place)

DAlperin avatar Oct 01 '21 15:10 DAlperin

Right now we have an experiment with zed, our command-line tool: https://github.com/authzed/zed#open-policy-agent-opa

We add builtin functions that let you call the SpiceDB API from rego. Would that work for your use case?

We've had some private discussions about what it would look like to embed a policy agent server-side and we'd be open to discussing that publicly now, too, if people are interested.

jzelinskie avatar Oct 01 '21 15:10 jzelinskie

Ah yeah that does look very interesting, thanks. Is there any plan to extract the OPA functions provided by zed into an OPA extension so they can be available on existing OPA installations?

DAlperin avatar Oct 03 '21 22:10 DAlperin

Unless I'm misinterpreting what I've read here, there doesn't appear to be a way to distribute something to using OPA users that doesn't require creating a new build of OPA itself.

I am not an OPA expert by any means, so if anyone knows how to better facilitate OPA users, I'd love to learn more.

jzelinskie avatar Oct 26 '21 23:10 jzelinskie

Hello from the OPA side 👋

[...] there doesn't appear to be a way to distribute something to using OPA users that doesn't require creating a new build of OPA itself.

That's true.

From what I can tell, you are providing a gRPC API. If you had some sort of plain HTTP endpoint, you could help your users out with a rego policy snippet wrapping http.send. As of today, there are no generic gRPC functions (https://github.com/open-policy-agent/opa/issues/1450).

Bottom line is that it's tricky to do plugins in golang well. Another idea we've been toying with is adding plugin functionality via Wasm (https://github.com/open-policy-agent/opa/issues/3631), but that also hasn't happened yet. Also, socket stuff (i.e. implementing gRPC) is tricky still for WASI and friends.

☝️ Which of those approaches seems most promising for your use case?

srenatus avatar Oct 27 '21 07:10 srenatus

As of v1.1.0, SpiceDB actually supports an REST/JSON API that's powered by grpc-gateway internally. Writing a wrapper policy is a pretty reasonable step forward. Performance will suffer from re-establishing connections for each API call, though.

When I first wrote the zed experiment, I had mentioned in the OPA Slack that another idea is to do something similar to git, where you exec out to binaries on the $PATH with a specific prefix and pass the flags/args. We used to do something similar in zed before we open sourced SpiceDB. Go plugins these days are more portable than they used to be, but are still not quite entirely cross platform.

jzelinskie avatar Oct 27 '21 22:10 jzelinskie

@srenatus has OPA considered adding plugins that could be useful to the community (such as the SpiceDB one) to the main build?

rocioar avatar Oct 28 '21 10:10 rocioar

has OPA considered adding plugins that could be useful to the community (such as the SpiceDB one) to the main build?

Here's the list of built-in functions currently supported: https://www.openpolicyagent.org/docs/edge/policy-reference/#built-in-functions -- there isn't a single vendor-specific API wrapper among them, and I'd think that's for the better. (💭 There is an API following a standard, let's make sure OPA has the means to talk to it.)

Anyhow, about that 👇

As of v1.1.0, SpiceDB actually supports an REST/JSON API that's powered by grpc-gateway internally. Writing a wrapper policy is a pretty reasonable step forward. Performance will suffer from re-establishing connections for each API call, though.

(Yay, I like grpc-gateway 😄) Enhancements to the existing built-ins for improving that (see https://github.com/open-policy-agent/opa/issues/2418) would be very welcome! If I'm not mistaken, the connection re-use features of gRPC come from HTTP/2, which is something that http.send should completely support.

srenatus avatar Oct 28 '21 11:10 srenatus

Hi folks, I just stumbled upon this issue and wanted to give this a spin.

I'm not to deep into OPA yet, but I managed to create an initial version of an authzed plugin that enables users to query relations from within OPA via rego: https://github.com/thomasdarimont/custom-opa-spicedb

thomasdarimont avatar Oct 12 '22 22:10 thomasdarimont

As an note, SpiceDB now supports caveats (https://authzed.com/blog/caveats/) for ABAC-like computation to compliment policies

josephschorr avatar Mar 21 '23 17:03 josephschorr