opa-docker-authz icon indicating copy to clipboard operation
opa-docker-authz copied to clipboard
verified publisher icon open-policy-agent

Usage of multiple modules possible?

Open Silvanoc opened this issue 5 years ago • 4 comments

Does the current implementation of the plugin allow splitting the policy in multiple modules? It doesn't look to me as it would be possible.

If this possibility is missing, is it planned to add it?

Silvanoc avatar Jan 31 '20 10:01 Silvanoc

You're right. From the code https://github.com/open-policy-agent/opa-docker-authz/blob/master/main.go#L162 it looks like a single policy file can be loaded. Can you expand on your use-case and the kind of policies you want to enforce ?

ashutosh-narkar avatar Jan 31 '20 16:01 ashutosh-narkar

Use-case:

  • Docker host where docker-compose is being "occasionally" used to manage the containers.
  • Policy to control the configuration of the containers.
  • Rules should be enforced on Docker using this plugin, but it should be also possible to tell on advanced if a docker-compose configuration will be executable or not.
  • Rules reuse desired as much as possible.

The idea is having common rules in modules being used by Docker and docker-compose:

allow {
    privileged
    grant_privileges
}

And the specific rules like grant_privileged come from different modules depending on the tool (Docker-authorization plugin or docker-compose configuration check).

This use-case as an ugly work-around for this limitation: finding out the Docker REST request that would result of a docker-compose configuration and pass it to the opa-docker-authz policy. But don't really like it and the question is also if being able to have multiple modules is a feature desired by other users.

Silvanoc avatar Feb 03 '20 08:02 Silvanoc

Maybe something like conftest could help with this ?

Rules should be enforced on Docker using this plugin, but it should be also possible to tell on advanced if a docker-compose configuration will be executable or not.

I can imagine the plugin leveraging the load api to load all the *.rego files in a directory.

ashutosh-narkar avatar Feb 04 '20 01:02 ashutosh-narkar

As @ashutosh-narkar mentioned, the implementation could be improved by using the rego.Load(path) option when preparing for evaluation here. The rego.Load(path) option accepts a path to a file or directory. If a directory is given, the option will load all files and directories, recursively.

tsandall avatar Feb 05 '20 16:02 tsandall