teleport icon indicating copy to clipboard operation
teleport copied to clipboard

Published 20 hours ago verified publisher icon gravitational

Consider adding support for Open Policy Agent

Open klizhentas opened this issue 4 years ago • 8 comments

Feature Request

https://www.openpolicyagent.org/

Embed it as a library to support RBAC definitiions, people can create OPA roles in our RBAC:

role: v3
name: opa-policy
spec:
   policy | 
      package application.authz

      # Only owner can update the pet's information
      # Ownership information is provided as part of OPA's input
      default allow = false
      allow {
          input.method == "PUT"
           some petid
           input.path = ["pets", petid]
           input.user == input.owner
      }

klizhentas avatar Oct 20 '20 18:10 klizhentas

Any community interest? :+1: if you are interested in using it and share your use case

klizhentas avatar Oct 20 '20 18:10 klizhentas

We've a +1 from a community user. https://github.com/gravitational/teleport/issues/3454#issuecomment-679830076

benarent avatar Oct 20 '20 19:10 benarent

One use case would be fine grained control over who can login under what conditions. Alice can login to this server, but only between 8-5 PT, etc. Kelly can log into this server, but only from the Miami jumphost. Jerry can ssh into this server, but only if running a non-interactive command that matches the pattern 'rm /home/jerry/logs//.gz', etc.

rosskusler avatar Oct 26 '20 23:10 rosskusler

We've encountered a limitation of teleport's existing yaml RBAC scheme that OPA would solve. kubernetes_label and kubernetes_group are not related, so it's not possible to selectively grant a role on one cluster without granting it on all clusters. For example, we would like to grant a role system:masters permissions on one cluster, but a limited role on all others, but today adding system:masters to a role grants them that permission on all enabled clusters.

Of course, this could be fixed by changing teleport's current yaml configuration to support binding these two flags, but I suspect there will be other cases like this as users try to set up more complex RBAC controls. Open policy agent as a general purpose solution is attractive since it would support arbitrarily complex policies.

OPA is also an interesting possibility for more standard authorization, which would be helpful since many current teleport users like us have to juggle identity provider RBAC (eg. Okta), teleport RBAC, cloud provider RBAC (e.g. AWS IAM), and kubernetes RBAC.

jonathanmyers avatar Apr 12 '21 17:04 jonathanmyers

+1 for interest here as well. Talking to a group that is also interested in adding this capability into Teleport.

Valien avatar Mar 31 '22 13:03 Valien

It seems this issue has gained a lot more community interests comparing to other open issues.

Just to add some info here, there is gatekeeper with some benefits comparing to OPA.

tz-torchai avatar May 12 '22 07:05 tz-torchai

+1

kotyara85 avatar Sep 21 '22 08:09 kotyara85

Would be cool to actually plug it in as an external rbac system

kotyara85 avatar Sep 21 '22 08:09 kotyara85

Was just asked by a potential customer about Teleport's OPA support at KubeconEU.

dumez-k avatar Apr 20 '23 11:04 dumez-k