Beyond Entitlements for Cloud-Native

Beyond Entitlements for Cloud Native Scalable Responsibility Management with Spring
Boot and Open Policy Agent Hong Liu and Chandra Guntur June 2019 Bank of New York Mellon

Information Classification: Public 2 BNY Mellon is the corporate brand
of The Bank of New York Mellon Corporation and may be used as a generic term to reference the corporation as a whole and/or its various subsidiaries generally. Products and services may be provided under various brand names in various countries by duly authorized and regulated subsidiaries, affiliates, and joint ventures of The Bank of New York Mellon Corporation. Not all products and services are offered in all countries. BNY Mellon will not be responsible for updating any information contained within this material and opinions and information contained herein are subject to change without notice. BNY Mellon assumes no direct or consequential liability for any errors in or reliance upon this material. This material may not be reproduced or disseminated in any form without the express prior written permission of BNY Mellon.   ©2019 The Bank of New York Mellon Corporation. All rights reserved. Disclosure

Information Classification: Public 3 Hong Liu • Hong Liu is
a Principal Developer in Resilient Systems Engineering, BNY Mellon. • 18+ years of experience as a technologist using Java, with a recent focus on microservices and AI. • Adept at creating plugins for IDEs such as Eclipse and IntelliJ IDEA. • In her spare time, she likes to listen to classical music. • Astronomy is her favorite theme to watch on TV. Chandra Guntur • Chandra Guntur is a Sr. Principal Architect and Java Advocate in Resilient Systems Engineering, BNY Mellon. • Technologist in the financial services industry since 2003 and is programming with Java since 1998. • One of the representatives for BNY Mellon in the Java Community Process (JCP) Executive Committee. • JUG (Java User Group ) Leader, and helps run one of the largest Java user groups, NYJavaSIG (New York Java Special Interest Group). • Frequent speaker at Java user groups, tech. conferences: Oracle CodeOne, Oracle Code NY, QCon New York, Devnexus and GIDS India. About

Information Classification: Public Information Classification: Public 4 Agenda • Responsibility
Management • Technology Choices • HOCON, Open Policy Agent, Spring Boot, Eclipse Collections • Architecture • Code Samples • OPA Policy Authoring Plugin for IntelliJ IDEA

Responsibility Management for the Enterprise    - A rationale

Information Classification: Public Information Classification: Public 6 Why Responsibility Management
– Scenario 1 • Service A needs to know if a user is a member of an enterprise LDAP Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. LDAP Group

– Scenario 1 • Service A needs to know if a user is a member of an enterprise LDAP Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. Then … LDAP Group • Service B needs to know if a user is a member of an enterprise LDAP Group

– Scenario 1 • Service A needs to know if a user is a member of an enterprise LDAP Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. Then … Questions • How about Service/Application C, D or E ? • Who manages employees who move/leave/join the department/org/company  (Movers/Leavers/Joiners) LDAP Group • Service B needs to know if a user is a member of an enterprise LDAP Group

Information Classification: Public Information Classification: Public 7 Email/AD Group Why
Responsibility Management – Scenario 2 • Service M needs to know if a user is a member of an enterprise Email/AD Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership.

Information Classification: Public Information Classification: Public 7 Email/AD Group Why
Responsibility Management – Scenario 2 • Service M needs to know if a user is a member of an enterprise Email/AD Group • Access may be granted based on membership. • Access may be denied based on membership. • Access may be granted based on lack of membership. • Access may be denied based on lack of membership. Then … Questions • How about Service/Application O, P or Q ? • Who manages employees who move/leave/join the department/org/company  (Movers/Leavers/Joiners) • Service N needs to know if a user is a member of an enterprise Email/AD Group

– Scenario 3 More complex evaluations occur as well. LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

– Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

– Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

– Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 • is member of Email Group 1 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

– Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 • is member of Email Group 1 • is allowed to request an order of the amount USD 200,000 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

– Scenario 3 More complex evaluations occur as well. • is member of LDAP Group 1 • is not member of LDAP Group 2 • is member of Email Group 1 • is allowed to request an order of the amount USD 200,000 • has at least two direct reports LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Service X needs to check if all of the below are true for a user:

– Scenario 3 LDAP Group 1 LDAP Group 2 Email Group 1 $$$$ ≥ USD 200,000 Direct Reports Questions • What if each request is for different sets of   groups and/or amounts? • What if other services have similar functional   constraints with different values? • Where are such policies maintained, are they   auditable and follow Config Management guidelines ? • Who manages Mover/Leaver/Joiner employees?

– Scenario 4 Service Y needs to check responsibility privileges for a user/subject: Domain organization environment action resource

– Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) Domain organization environment action resource

– Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) Domain organization environment action resource

– Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …) Domain organization environment action resource

– Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …) • for a given action (e.g. EDIT, DELETE, CREATE …) Domain organization environment action resource

– Scenario 4 Service Y needs to check responsibility privileges for a user/subject: • in a given domain (Infra or Shared - service or tool) • for a given cost code identifier or org. business unit ($) • for a given environment (e.g. ‘PROD’, ‘QA’, ‘DEV’ …) • for a given action (e.g. EDIT, DELETE, CREATE …) • for a given resource (e.g. org.databases.prod.instance1.schema1) Domain organization environment action resource

– Scenario 4 Questions Domain organization environment action resource • What if each request is for different sets of values   for the given domain? • What if other services have similar functional   constraints with different values? • Who manages Role-Responsibility per domain   and User-Role Mappings? • Who manages Mover/Leaver/Joiner employees ?

Information Classification: Public Information Classification: Public 12 Responsibility Management –
Common Solutions – For Data DATA - External Services / Persistence • LDAP/Active directory queried by the application/service via direct connections. • User approver/manager is queried via proprietary corporate directory services. • Role-Responsibility mappings are usually stored in local persistence of the domain. • User-Role mappings usually stored in any of: local persistence, proprietary systems.

Information Classification: Public Information Classification: Public 13 Responsibility Management –
Common Solutions – For Functions LOGIC - Calculations / Functions • Complex functions/calculations are coded into the application/service.  • Newer applications/services may separate such as an independent microservice.  • Some applications/services utilize embedded rule engines such as Drools.  • Some applications/services utilize proprietary entitlement systems for evaluations.

Responsibility Management Service A solution to manage dynamic privileges and
entitlements

Information Classification: Public 15 Responsibility Management Cycle Policy   Administration
(Authoring & Storage) Policy Distribution  (Dissemination) Policy   Decision  (Evaluation) Policy   Enforcement  (Usage) Policy Reconciliation  (Maintenance) Responsibility Management is performed via policies Policies have a lifecycle * More detailed flow in appendix

Information Classification: Public Information Classification: Public 16 Responsibility Management System
(RMS) – The Right Solution A Responsibility Management System that: • federates the calls to LDAP, Active Directory, and other services as integrated services  • provides appropriate mapping of roles and responsibilities, per domain  • provides for user to role mapping, per organization per domain  • provides proper SDLC and audit mechanism for policies per domain, to author and deploy

Information Classification: Public Information Classification: Public 17 Responsibility Management System
(RMS) – The Right Solution (continued…) A Responsibility Management System that: • provides for a built-in policy engine to evaluate complex calculations/functions using:  • data provided as inputs by service-consumer  • data queried from integrated services  • policies provided by the domains  • caters to applying a mover/leaver/joiner logic to all controlled datasets  • provides horizontal scaling and thus, high availability for varying request volumes

Information Classification: Public 18 BEFORE RMS Custom Service DROOLS APP
a APP b APP n Entitlement  System URM DB RRM Roles  System RRM App Logic App Logic App Logic APP m App Logic LDAP Client User Svc Client User Svc Client AD Client User Svc Client LDAP Client AD Client LDAP AD User Svc RRM URM Role Responsibility Mapping User Role Mapping URM via service, RRM via persistence URM via persistence, RRM via service  Custom Service for policies URM via persistence, RRM via persistence  Batch job to manage Users. URM via persistence, RRM via persistence  Drools rules for policies DB URM DB URM RRM DB URM RRM . . .

Information Classification: Public 18 BEFORE RMS Custom Service DROOLS APP
a APP b APP n Entitlement  System URM DB RRM Roles  System RRM App Logic App Logic App Logic APP m App Logic LDAP Client User Svc Client User Svc Client AD Client User Svc Client LDAP Client AD Client LDAP AD User Svc RRM URM Role Responsibility Mapping User Role Mapping URM via service, RRM via persistence URM via persistence, RRM via service  Custom Service for policies URM via persistence, RRM via persistence  Batch job to manage Users. URM via persistence, RRM via persistence  Drools rules for policies Decentralized Policies. Auditing is per-app. Bespoke User Mgmt. DB URM DB URM RRM DB URM RRM . . .

Information Classification: Public 19 WITH AN RMS APP a APP
b APP n App Logic App Logic App Logic APP m App Logic LDAP AD User Svc RRM URM Role Responsibility Mapping User Role Mapping R M S RMS Client RMS Client RMS Client RMS Client DB DB DB DB . . . Policy Policy . . . Policy Policy Custom Service DROOLS Entitlement  System URM Roles  System RRM RRM URM Role   Service

Information Classification: Public 19 WITH AN RMS APP a APP
b APP n App Logic App Logic App Logic APP m App Logic LDAP AD User Svc RRM URM Role Responsibility Mapping User Role Mapping Centralized Policies. Centralized Auditing. Centralized User Mgmt. R M S RMS Client RMS Client RMS Client RMS Client DB DB DB DB . . . Policy Policy . . . Policy Policy Custom Service DROOLS Entitlement  System URM Roles  System RRM RRM URM Role   Service

Technologies Used Technology choices for building the   Responsibility Management
Service

Information Classification: Public 21 A case for using Human-Optimized Configuration
Object Notation Payload format: HOCON format for payloads • Intent is to expose GET/POST operations. • POST operations allow for a request body but do not support meaningful caching. • Policy decisions should be queried (non-mutating), thus logically GET operations. • GET operations do not support a request body. • GET operations may be exposed to character limits, large parameter content not possible. • JSON and individual query parameters are quite verbose. • HOCON * trims the parameter verbosity by a significant amount. https://github.com/lightbend/config/blob/master/HOCON.md

Information Classification: Public 22 Benefits of using Human-Optimized Configuration Object
Notation Payload format: HOCON benefits HOCON * • syntax is quite simple and has low ambiguity. • is a superset of JSON. JSON is parsed properly by HOCON parsers. • allows the use of comments. • allows multi-line strings. • allows for includes and substitutions. • has built-in durations (5d or 100ms) https://github.com/lightbend/config/blob/master/HOCON.md

Information Classification: Public 23 Human-Optimized Configuration Object Notation – includes
and substitutions Payload format: HOCON features generic.conf {x: 10, y: ${x}, z: 5s} my.conf {a : { include “generic.conf” } } a.x = 10 a.y = 10 a.z = 5s https://github.com/lightbend/config/blob/master/HOCON.md Substitution Inclusion

Information Classification: Public 24 foo : { bar : {
baz: myvalue } } employee: { firstname: ”Jane" lastname: ”Doe" nested: { loginTimeoutInMilliSeconds: 5000 } fullname: “Jane Doe” } standard-policy: { developer: "yes" operator: false } Sample JSON Sample HOCON foo.bar.baz: myvalue ---- Or ---- foo { bar { baz: myvalue}} employee { firstname: ”Jane" lastname: ”Doe" nested { loginTimeout: 5s } fullname: ${employee.firstname} ${employee.lastname} } standard-policy { developer: "yes" operator: false } Sample comparisons Payload format: HOCON compared to JSON

Information Classification: Public 25 Key highlights • Rich, concise and
readable APIs. • Clear mutable and immutable hierarchies for collection types. • Memory efficient containers. • Optimized eager APIs instead of Java Collection Framework’s lazy APIs. • Improved code readability. • Ease of learning thanks to several Code Katas. Java Collections Library: Eclipse Collections https://www.eclipse.org/collections/

Information Classification: Public 26 Key highlights • Open Policy Agent
(OPA) * is an open source general purpose policy engine. • Uses “rego” (inspired by Datalog) as a declarative native query language. • Policies are written as rulesets (similar to functions). • Policies can be queried as RESTful POST operations. • Data and policy publishing is via RESTful PUT operations. • Can be launched as a library for a service, an independent daemon or as a sidecar. • Decision in RMS was to use OPA as a sidecar. Policy Engine: Open Policy Agent (OPA) https://www.openpolicyagent.org/

Information Classification: Public 27 OpenPolicyAgent usage Open Policy Agent Service
1 Query  +  Data Decision [ { "name": "bucket1", "clients": [ { "name": ”client1", "access": ["READ”, “WRITE”] }, { "name": ”client2", "access": ["WRITE"] } ] }, { "name": "bucket2", "clients": [ { "name": ”client1", "access": [”READ"] } ] } ] package domain1.policy1 import data.domain1.policy1.buckets default allow = false allow { buckets[i].name == input.bucket buckets[i].clients[j].name == input.client buckets[i].clients[j].access[k] == input.access } { input { bucket: "bucket2", client: ”client1", access: "READ" } } http://localhost:8181/v1/data/dom ain1/policy1/allow Policy Data Sidecar Query Payload data.json policy.rego

Architecting the Responsibility Management System A platform solution for Responsibility
Management

Responsibility Management System     Architecture (Version 1)    A
Federated Responsibility Management Service

Information Classification: Public 30 RMS Architecture – Version 1 (Federated)
Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository

Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository User Service LDAP AD RMS Service Policy Information Points (PIPs) RRM URM Role   Service

Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Responsibility Management User Service LDAP AD RMS Service Policy Information Points (PIPs) RRM URM Role   Service

Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Open Policy Agent Responsibility Management User Service LDAP AD RMS Service Pull Policy Information Points (PIPs) RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Open Policy Agent Responsibility Management User Service LDAP AD RMS Service Pull Policy Information Points (PIPs) Service 1 . . . Service 2 Service x RRM URM Role   Service

Information Classification: Public 31 Key issues • Segregation and information-barrier
needs implied more work. • A rogue policy script could lead to loss of service for all domains. • RM Service became the gatekeeper for testing and coverage. • RM Service had to establish a release-train model to pick up new policies. • Out-of-band policy changes lead to intermittent service-unavailability. • Observation: Policy changes were more frequent when a new domain onboards. Issues faced with a Federated Policy Management Architecture

Responsibility Management System     Architecture (Version 2)    A
Distributed Responsibility Management Service

Information Classification: Public 33 RMS Architecture – Version 2 (Distributed)
RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Role/Resp., User/Role Mappings Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR)     Mappings Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR)     Mappings Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Bundles  Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR)     Mappings Policy Bundles    Policy + RR & UR Mappings Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles  Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR)     Mappings Policy Bundles    Policy + RR & UR Mappings Service 2 Service x RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles  Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR)     Mappings Policy Bundles    Policy + RR & UR Mappings Service 2 Service x Open Policy Agent Open Policy Agent Open Policy Agent Sidecar Sidecar Sidecar RRM URM Role   Service

RMS Service Consumers Domain 1 Dev SCM Build Server Policy Setup Process Domain 2 Dev SCM Build Server . . . Domain 4 Policy 1 tar.gz Domain 3 Policy 1 tar.gz Domain 2 Policy 1 tar.gz Domain 1 Policy 1 Domain x Policy 1 Domain 2 Policy 1 Rule   Repository Policy Administration Service (PAS) Service 1 . . . User Service LDAP AD RMS Service Policy Information Points (PIPs) Policy Distribution Service (PDS) Policy Bundles  Repository Publish Policy Role/Resp., User/Role Mappings Role/Resp. (RR), User/Role (UR)     Mappings Policy Bundles    Policy + RR & UR Mappings Service 2 Service x Open Policy Agent Open Policy Agent Open Policy Agent Policy Bundles Policy Reference Data Sidecar Sidecar Sidecar RRM URM Role   Service

Information Classification: Public 34 Comparing Version 1 (federated single policy
engine) with Version 2 (distributed policy engines) Benefits of a Distributed Policy Management Architecture V1 Federated Policy Engine V2 Distributed Policy Engine Segregation and Information Barriers Requires additional work Is implicit, no additional work Impact of a rogue policy script Outage for all domains Outage only for the specific domain Gatekeeping for testing and coverage Requires RMS to be the gatekeeper Requires domain to be the gatekeeper Strategy for new and updated policies Needed a Release Train model A domain can push policies on-demand Impact of ad-hoc policy changes RMS Downtime for all domains RMS Downtime for the changed domain Implicit RBAC Support - Available

Information Classification: Public 35 Policy Bundles Repository Policy bundles repository
stored enriched policy archives.  Enriched policy bundles are archives that contain: • Policy file(s), specific to the domain. • Policy static data, specific to the domain. • Standard RMS OPA policy rego files common across all domains.

Information Classification: Public 36 Policy Bundles Repository Folder structure in
policy bundles repository :  - <domain> - <policy> - <version> - <policy bundles> Example:  - domain1 - policy1 - 1.0.0 - enriched-opa-bundle.tar.gz

Information Classification: Public 37 How the Policy Agent is setup
•Open Policy Agent (the executable) •Open Policy Agent – Configuration •Open Policy Agent – Dockerfile command

– Configuration files OPA Configuration file (located at ${configPath}) services: - name: domainPolicies url: policyDistributionServiceUrl/ allow_insecure_tls: true bundle: name: policyDomain/policyName/policyVersion service: domainPolicies polling: min_delay_seconds: minDelaySeconds max_delay_seconds: maxDelaySeconds Environment   Variables

– Dockerfile command OPA launch command (used in the Dockerfile) exec ./opa run --server --log-level=debug –c ${configPath}

Information Classification: Public 40 RBAC Policy Library package rbac user_has_responsibility(userId,
action, resource) {  role := roles[_]    responsibility := role.responsibilities[_]  does_resource_match(resource, responsibility)    responsibility.actions[_] = action    is_user_a_member(userId, role)  } is_user_a_member(userId, role) { ...  } package application1    default allow = false    allow {  data.rbac.user_has_responsibility(  input.userid, input.action,   input.service)  } {  "name": ”App User",  "responsibilities": [  {  "resource":  "service.1",  "actions": [  "provision"  ]  },  {  "resource":   "service.2",  "actions": [  "provision"  ]  }  ],  "members": [  "EVERYONE"  ] } { "name": ”App Admin", "responsibilities": [ { "resource":   "regexp:service\\..*", "actions": [ "create", "update", "delete", "view" ] } ], "members": [ "org:abc" ] } Application Policy Sample Role Data Excerpts rbac.rego policy.rego data.json

OPA IntelliJ Plugin A development tool for OPA language

Information Classification: Public 42 OPA IntelliJ Plugin • OPA IntelliJ
Plugin is functional work-in-progress policy editor. • The editor parses and validates OPA policy. • Relies on the OPA language reference linked * below. • Can be customized for editor color schemes in IntelliJ. • Work continues on indentation, run configurations and variable tracking. https://www.openpolicyagent.org/docs/latest/language-reference/

Information Classification: Public 43 Before & After

Information Classification: Public 44 OPA language validation

Information Classification: Public 45 OPA language validation

Information Classification: Public 46 OPA editor plugin color scheme Select 
• Preferences – Editor > Color Scheme ▪ Open Policy Agent

Information Classification: Public Information Classification: Public 47 In Summary •
Responsibility Management as a Service can resolve issues on several fronts. • Choice of a payload format (HOCON over JSON or XML) can help control verbosity. • Choice of architecture (federated versus distributed) can help determine resilience. • Distributed policy engines can alleviate back-pressure and volume demands. • Distributed policy engines can reduce outages and maintenance-related downtimes. • Creating a policy editor plugin can help boost productivity.

Information Classification: Public Information Classification: Public 48 Links • HOCON 
https://github.com/lightbend/config/blob/master/HOCON.md • Eclipse Collections  https://www.eclipse.org/collections/ • Open Policy Agent  https://www.openpolicyagent.org/

Information Classification: Public 49 ?

Information Classification: Public 51 Enterprise Roles  and Responsibilities Policy  
Authoring Policy &   Static Data Policy &   Static Data User/App/Service  Input Data Policy Access  Review/Certification Reference   Data Updated  Reference   Data Access Fulfilment Reference   Data Appendix: Understanding Responsibility Management Policy Administration Point • Policy Authoring • Policy Storage • Policy Audit/Report Privileged Business  Functions Policy Distribution Point • Policy Bundling • Policy Distribution Policy Evaluation Point • Policy Procurement • Policy Evaluation Policy Enforcement Point • Policy Invocation • Policy Application • Policy Dynamic Inputs Policy Information Point • Policy Reference Data • Policy Entitlements • Policy Identities Access Reconciliation  Review & Certification • Entitlements Discovery • Access Reconciliation • Access Certification Managed Provisioning • Workflows • Downstream Fulfilment 1 2 3 3 3

Beyond Entitlements for Cloud-Native

Beyond Entitlements for Cloud-Native

More Decks by Chandra Guntur

Other Decks in Technology

Featured

Transcript