我的书签
添加书签
移除书签Securing the API involves configuring OPA to use TLS, authentication, and authorization so that:
- Traffic between OPA and clients is encrypted.
- Clients verify the OPA API endpoint identity.
- OPA verifies client identities.
- Clients are only granted access to specific APIs or sections of The data Document.
HTTPS is configured by specifying TLS credentials via command line flags at startup:
- specifies the path of the file containing the TLS certificate.
--tls-private-key-file=<path>specifies the path of the file containing the TLS private key.
OPA will exit immediately with a non-zero status code if only one of these flags is specified.
Note that for using TLS-based authentication, a CA cert file can be provided:
--tls-ca-cert-file=<path>specifies the path of the file containing the CA cert.
If provided, it will be used to validate clients’ TLS certificates when using TLS authentication (see below).
By default, OPA ignores insecure HTTP connections when TLS is enabled. To allow insecure HTTP connections in addition to HTTPS connections, provide another listening address with --addr. For example:
openssl genrsa -out private.key 2048openssl req -new -x509 -sha256 -key private.key -out public.crt -days 1
2. Start OPA with TLS enabled
opa run --server --log-level debug \--tls-cert-file public.crt \--tls-private-key-file private.key
curl http://localhost:8181/v1/data
4. Access the API with HTTPS
curl -k https://localhost:8181/v1/data
This section shows how to configure OPA to authenticate and authorize client requests. Client-side authentication of the OPA API endpoint should be handled with TLS.
Authentication and authorization allow OPA to:
- Verify client identities.
- Control client access to APIs and data.
Both are configured via command line flags:
--authentication=<scheme>specifies the authentication scheme to use.--authorization=<scheme>specifies the authorization scheme to use.
By default, OPA does not perform authentication or authorization and these flags default to off.
For authentication, OPA supports:
: Bearer tokens are enabled by starting OPA with
--authentication=token. When thetokenauthentication mode is enabled, OPA will extract the Bearer token from incoming API requests and provide to the authorization handler. When you use thetokenauthentication, you must configure an authorization policy that checks the tokens. If the client does not supply a Bearer token, theinput.identityvalue will be undefined when the authorization policy is evaluated.Client TLS certificates: Client TLS authentication is enabled by starting OPA with
--authentication=tls. When this authentication mode is enabled, OPA will require all clients to provide a client certificate. It is verified against the CA certificate(s) provided via--tls-ca-cert-path. Upon successful verification, theinput.identityvalue is set to the TLS certificate’s subject.
For authorization, OPA relies on policy written in Rego. Authorization is enabled by starting OPA with --authorization=basic.
When the basic authorization scheme is enabled, a minimal authorization policy must be provided on startup. The authorization policy must be structured as follows:
# The "system" namespace is reserved for internal use# by OPA. Authorization policy must be defined under# system.authz as follows:package system.authzdefault allow = false # Reject requests by default.allow {# Logic to authorize request goes here.}
When OPA receives a request, it executes a query against the document defined data.system.authz.allow. The implementation of the policy may span multiple packages however it is recommended that administrators keep the policy under the system namespace.
If the document produced by the allow rule is true, the request is processed normally. If the document is undefined or not true, the request is rejected immediately.
OPA provides the following input document when executing the authorization policy:
{# Identity established by authentication scheme.# When Bearer tokens are used, the identity is# set to the Bearer token value."identity": "",# One of {"GET", "POST", "PUT", "PATCH", "DELETE"}."method": "",# URL path represented as an array.# For example: /v1/data/exempli-gratia# is represented as ["v1", "data", "exampli-gratia"]"path": [...],# URL parameters represented as an object of string arrays.# For example: metrics&explain=true is represented as# {"metrics": [""], "explain": ["true"]}"params": {"...": ...},# Request headers represented as an object of string arrays.## Example Request Headers:## host: acmecorp.com# x-custom: secretvalue## Example input.headers Value:## {"Host": ["acmecorp.com"], "X-Custom": ["mysecret"]}## Example header check:## input.headers["X-Custom"][_] = "mysecret"## Header keys follow canonical MIME form. The first character and any# characters following a hyphen are uppercase. The rest are lowercase.# If the header key contains space or invalid header field bytes,# no conversion is performed."headers": {"...": [...]},# Request message body if present for applicable APIs.## Example Request:## POST v1/data HTTP/1.1# Content-Type: application/json## {"input": {"action": "trade", "stock": "ACME"}}## Example input.body Value:# {"input": {"action": "trade", "stock": "ACME"}}### input.body.input.stock == "ACME"## The 'body' field is provided for the following APIs:## * POST v1/data# * POST v0/data# * POST /"body": ...,}
At a minimum, the authorization policy should grant access to a special root identity:
package system.authzdefault allow = false # Reject requests by default.allow { # Allow request if..."secret" == input.identity # Identity is the secret root key.}
When OPA is configured with this minimal authorization policy, requests without authentication are rejected:
Response:
HTTP/1.1 401 UnauthorizedContent-Type: application/json
{"code": "unauthorized","message": "request rejected by administrative policy"}
However, if Bearer token authentication is enabled and the request includes the secret from above, the request is allowed:
GET /v1/policies HTTP/1.1Authorization: Bearer secret
Response:
HTTP/1.1 200 OKContent-Type: application/json
Besides boolean responses, authorization policies can change the message included in the deny response. Do do that, policy decisions must yield an object response as follows:
package system.authzdefault allow = {"allowed": false,"reason": "unauthorized resource access"}allow = { "allowed": true } { # Allow request if..."secret" == input.identity # identity is the secret root key.}allow = { "allowed": false, "reason": reason } {not input.identityreason := "no identity provided"}
When Bearer tokens are used for authentication, the policy should at minimum validate the identity:
package system.authz# Tokens may defined in policy or pushed into OPA as data.tokens = {"my-secret-token-foo": {"roles": ["admin"]},"my-secret-token-bar": {"roles": ["service-1"]},"my-secret-token-baz": {"roles": ["service-2", "service-3"]}}default allow = false # Reject requests by default.allow { # Allow request if...input.identity == "secret" # Identity is the secret root key.}allow { # Allow request if...tokens[input.identity] # Identity exists in "tokens".}
To complete this example, the policy could further restrict tokens to specific documents:
package system.authz# Rights may be defined in policy or pushed into OPA as data.rights = {"admin": {"path": "*"},"service-1": {"path": ["v1", "data", "exempli", "gratia"]},"service-2": {"path": ["v1", "data", "par", "example"]}}# Tokens may be defined in policy or pushed into OPA as data.tokens = {"my-secret-token-foo": {"roles": ["admin"]},"roles": ["service-1"]},"my-secret-token-baz": {"roles": ["service-2", "service-3"]}}default allow = false # Reject requests by default.allow { # Allow request if...some rightidentity_rights[right] # Rights for identity exist, and...right.path == "*" # Right.path is '*'.}allow { # Allow request if...some rightidentity_rights[right] # Rights for identity exist, and...right.path == input.path # Right.path matches input.path.}identity_rights[right] { # Right is in the identity_rights set if...some roletoken := tokens[input.identity] # Token exists for identity, and...role := token.roles[_] # Token has a role, and...right := rights[role] # Role has rights defined.}
TLS-based Authentication Example
To set up authentication based on TLS, we will need three certificates:
- the CA cert (self-signed),
- the server cert (signed by the CA), and
- the client cert (signed by the CA).
These are example invocations using openssl. Don’t use these in production, the key sizes are only good for demonstration purposes.
We also create a simple authorization policy file, called check.rego:
package system.authz# client_cns may defined in policy or pushed into OPA as data.client_cns = {"my-client": true}default allow = falseallow { # Allow request ifsplit(input.identity, "=", ["CN", cn]) # the cert subject is a CN, andclient_cns[cn] # the name is a known client.}
Now, we’re ready to starting the server with -authentication=tls and the certificate-related parameters:
$ opa run -s \--tls-cert-file server-cert.pem \--tls-private-key-file server-key.pem \--tls-ca-cert-file ca.pem \--authentication=tls \--authorization=basic \-a https://127.0.0.1:8181 \check.regoINFO[2019-01-14T10:24:52+01:00] First line of log stream. addrs="[https://127.0.0.1:8181]" insecure_addr=
We can use curl to validate our TLS-based authentication setup:
First, we use the client certificate that was signed by the CA, and has a subject matching our authorization policy:
$ curl --key client-key.pem \--cert client-cert.pem \--cacert ca.pem \--resolve opa.example.com:8181:127.0.0.1 \https://opa.example.com:8181/v1/data{"result":{}}
Note that we’re passing the CA cert to curl – this is done to have curl accept the server’s certificate, which has been signed by our CA cert.
Since we’ve setup an IP SAN, we may also curl https://127.0.0.1:8181/v1/data directly. (To keep our examples focused, we’ll do that from here on.)
Using a valid certificate whose subject will be declined by our authorization policy:
$ curl --key client-key-2.pem \--cert client-cert-2.pem \--cacert ca.pem \https://127.0.0.1:8181/v1/data{"code": "unauthorized","message": "request rejected by administrative policy"}
Finally, we’ll attempt to query without a client certificate:
$ curl --cacert ca.pem https://127.0.0.1:8181/v1/datacurl: (35) error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate
As you can see, TLS-based authentication disallows these request completely.
Often OPA is deployed locally to the host where the client resides (side-car or similar model). In these deployments it is ideal to only expose the API via localhost to prevent any remote clients from reaching OPA at all. The downside to this approach is that it blocks remote monitoring systems that require access to /health or /metrics.
The solution is to configure OPA with a separate diagnostic listener by providing the --diagnostic-addr flag, for example:
$ opa run \-s \--addr localhost:8181 \--diagnostic-addr :8282
The configuration above would expose only /health and /metrics API’s on port 8282 while keeping the normal REST API bound to localhost:8181.
You can run a hardened OPA deployment with minimal configuration. There are a few things to keep in mind:
- Limit API access to host-local clients executing policy queries.
- Configure TLS (for localhost TCP) or a UNIX domain socket.
- Do not pass credentials as command-line arguments.
- Run OPA as a non-root user ideally inside it’s own account.
With OPA configured to fetch policies using the feature you can configure OPA with a restrictive authorization policy that only grants clients access to the default policy decision, i.e., POST /:
package system.authz# Deny access by default.default allow = false# Allow anonymous access to the default policy decision.allow {input.method = "POST"input.path = [""]}
- Authorize all API requests (
--authorization=basic) - Listen on localhost for HTTPS (not HTTP!) connections (
--addr,--tls-cert-file,--tls-private-key-file) - Download bundles from a remote HTTPS endpoint (
--setflags and flag)
