Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

AuthPolicy - configuration changes require restart #3598

Closed
PhilCorney opened this issue Nov 10, 2022 · 7 comments
Closed

AuthPolicy - configuration changes require restart #3598

PhilCorney opened this issue Nov 10, 2022 · 7 comments
Assignees
Labels
triage/in-progress Issue triage is in progress

Comments

@PhilCorney
Copy link

SPIRE AuthPolicy OPA policy changes (AuthPolicy) require a server restart before taking effect, which could be problematic for production rollout.

Is there a recomended way to appying rego changes?

  • Version: 1.4.3
  • Platform: arm64 [single server]
  • Subsystem: AuthPolicy
@MarcosDY
Copy link
Collaborator

It would be helpful if you could provide some more details around your use case and why the dynamic reloading is needed in your case.

@PhilCorney
Copy link
Author

We're still exploring, but the percieved use case would be that of example 1 where we would want to be able to change departments being authorised without loosing service. Perhaps this should be rolled out by CICD with HA confIguration?

@dennisgove
Copy link
Contributor

Issue #3282 discussed this type of dynamic rule changes by supporting a remote OPA instance. Separating the Policy Enforcement Point (SPIRE) and the Policy Decision Point (OPA) we would be able to support dynamic access rules without requiring a SPIRE restart. OPA already supports multiple mechanisms to dynamically change its internal ruleset.

However, the issue was closed because the maintainers felt support for remote OPA evaluation might be premature given that OPA integration in any form was still experimental.

@PhilCorney
Copy link
Author

Thank you Dennis.
I liked the proposal there maybe performance/security implications for going down this route.
Are there plans to move this out of Experimental?

@evan2645 evan2645 added the triage/in-progress Issue triage is in progress label Nov 15, 2022
@evan2645 evan2645 self-assigned this Nov 15, 2022
@evan2645
Copy link
Member

Hey folks .. very sorry for the confusion around the state of support for OPA Rego ... I know that the signals have been a bit confusing.

We had a lengthy conversation around this issue, and all the surrounding ones, in our public contributor call this past Tuesday. IMO the configuration of a "remote" OPA (even if local) is table stakes for Rego support, however the original request was hampered by the current state/support of this feature... and the TL;DR there is, we have a hard time seeing a path forward in terms of graduating this feature out of experimental support.

I know that @dennisgove has some specific concerns around authorization ... and perhaps some of those are solved in other ways (e.g. supporting federated auth on SPIRE Server APIs, and permitting identities from foreign trust domains to be admins). But putting that aside, the general feeling here is that OPA Rego support hasn't quite gotten us as far as we'd hoped, and the downsides outweigh the upsides. This conclusion makes it hard to reason about committing further effort to supporting OPA Rego integration - instead, we'd like to focus conversation towards a new solution. I opened #3620 for this purpose.

I know that this isn't the news that you might have hoped for, but I do believe that it's the right call. I think that some community needs can be met with targeted feature implementation in the short term ... and in the long term, I hope that we can move to a system with first class authorization implemented with something like rbac/capabilities/etc

@dennisgove
Copy link
Contributor

Thank you @evan2645. I agree with this move and am glad that we're going to take the opportunity to re-think SPIRE authorization.

@PhilCorney
Copy link
Author

Thank you for the update and sharing the rational.
That makes sense.
Phil

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
triage/in-progress Issue triage is in progress
Projects
None yet
Development

No branches or pull requests

4 participants