-
Notifications
You must be signed in to change notification settings - Fork 485
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AuthPolicy - configuration changes require restart #3598
Comments
It would be helpful if you could provide some more details around your use case and why the dynamic reloading is needed in your case. |
We're still exploring, but the percieved use case would be that of example 1 where we would want to be able to change departments being authorised without loosing service. Perhaps this should be rolled out by CICD with HA confIguration? |
Issue #3282 discussed this type of dynamic rule changes by supporting a remote OPA instance. Separating the However, the issue was closed because the maintainers felt support for remote OPA evaluation might be premature given that OPA integration in any form was still experimental. |
Thank you Dennis. |
Hey folks .. very sorry for the confusion around the state of support for OPA Rego ... I know that the signals have been a bit confusing. We had a lengthy conversation around this issue, and all the surrounding ones, in our public contributor call this past Tuesday. IMO the configuration of a "remote" OPA (even if local) is table stakes for Rego support, however the original request was hampered by the current state/support of this feature... and the TL;DR there is, we have a hard time seeing a path forward in terms of graduating this feature out of experimental support. I know that @dennisgove has some specific concerns around authorization ... and perhaps some of those are solved in other ways (e.g. supporting federated auth on SPIRE Server APIs, and permitting identities from foreign trust domains to be admins). But putting that aside, the general feeling here is that OPA Rego support hasn't quite gotten us as far as we'd hoped, and the downsides outweigh the upsides. This conclusion makes it hard to reason about committing further effort to supporting OPA Rego integration - instead, we'd like to focus conversation towards a new solution. I opened #3620 for this purpose. I know that this isn't the news that you might have hoped for, but I do believe that it's the right call. I think that some community needs can be met with targeted feature implementation in the short term ... and in the long term, I hope that we can move to a system with first class authorization implemented with something like rbac/capabilities/etc |
Thank you @evan2645. I agree with this move and am glad that we're going to take the opportunity to re-think SPIRE authorization. |
Thank you for the update and sharing the rational. |
SPIRE AuthPolicy OPA policy changes (AuthPolicy) require a server restart before taking effect, which could be problematic for production rollout.
Is there a recomended way to appying rego changes?
The text was updated successfully, but these errors were encountered: