Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Facilitate OPA decision correlation with business flows #3041

Merged
merged 16 commits into from
Jun 24, 2024
Merged

Facilitate OPA decision correlation with business flows #3041

merged 16 commits into from
Jun 24, 2024

Conversation

JanardhanSharma
Copy link
Collaborator

@JanardhanSharma JanardhanSharma commented Apr 25, 2024
edited
Loading

Context

Problem

Currently there is no recommended way of correlating OPA decisions with execution flows. This leaves the OPA integrators to take different approaches which could carry security risks and break as the platform evolves.

Correlation is required by two main use cases,

  • Troubleshooting - If a particular flow fails, engineers are enabled to isolate the related OPA decisions and see if it impacted the failure.
  • Fine tune policies - To understand the impact of policy in relation to business events analysis the decision logs published to Data Lake.

Solution

Improve the Skipper filter opaAuthorizeRequest to inject decisionID as an input to the policy. Add a new attribute to the filterMetadata called open_policy_agent and under that add the decision_id.

{
   "input":{
      "attributes":{
         "metadataContext":{
            "filterMetadata":{
               "open_policy_agent":{
                  "decision_id":"xxx.xx.xxx.xxx"
               }
            }
         },
         "request":{
         }
      }
   }
}

Similar solution for Envoy exists: open-policy-agent/opa#6519
Ref: dynamic meta-data

Changes

Decision id is added to the request object and is available to be used in the policies.

@szuecs
Copy link
Member

szuecs commented Apr 26, 2024
edited
Loading

@JanardhanSharma please sign off your commits use -s, that's required for DCO.
The issue link was non public. Please copy the description to the public such that it's self contained.
Thanks!

@JanardhanSharma JanardhanSharma force-pushed the facilitate-OPA-decision-correlation-with-business-flows branch from d3e8c4c to 43f11eb Compare April 26, 2024 11:58
@JanardhanSharma JanardhanSharma requested a review from szuecs April 26, 2024 11:59
@szuecs szuecs added the minor no risk changes, for example new filters label Apr 26, 2024
Janardhan Sharma and others added 8 commits April 26, 2024 19:04
Facilitate OPA decision correlation with business flows
84ad4a0 
Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma
review comment
e5786f6 
Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma
review comment - import variable renamed
db3b2ea 
Signed-off-by: Janardhan Sharma <[email protected]>
@mjungsbluth
OPA: Add tracing for outbound http calls (zalando#3034)
059e727 
Signed-off-by: Magnus Jungsbluth <[email protected]>
Signed-off-by: Janardhan Sharma <[email protected]>
@AlexanderYastrebov
Specify tracing span kind on creation (zalando#3039)
bb88e1f 
OpenTelemetry-OpenTracing bridge span kind can not be changed after creation,
see open-telemetry/opentelemetry-go#3953

The workaround is to specify span kind on creation which works for
both Open Tracing and Open Telemetry bridge spans.

Note that this change removes non-standard "shedder" kind from spans created by `admissionControl` filter.
Use operation name "admission_control" to query its spans instead if needed.

For zalando#2104

Signed-off-by: Alexander Yastrebov <[email protected]>
Signed-off-by: Janardhan Sharma <[email protected]>
@AlexanderYastrebov
config: refactor test defaultConfig (zalando#3042)
bd738f9 
Make `defaultConfig` return configuration equal to one
created from default flags and modified by a helper function
for defining expected test case values.

Signed-off-by: Alexander Yastrebov <[email protected]>
Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma
Fix static analysis error
727c27f 
Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma
fix static analysis error. Signed-off-by: Janardhan Sharma <janardhan…
372e51e 
[email protected]>

Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma JanardhanSharma force-pushed the facilitate-OPA-decision-correlation-with-business-flows branch from 65a1998 to 372e51e Compare April 26, 2024 17:07
@szuecs
Copy link
Member

szuecs commented Apr 29, 2024 

 --- FAIL: TestEval (0.10s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x22b9568]

goroutine 257 [running]:
testing.tRunner.func1.2({0x2486180, 0x34b9810})
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1631 +0x3f7
testing.tRunner.func1()
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1634 +0x6b6
panic({0x2486180?, 0x34b9810?})
	/opt/hostedtoolcache/go/1.22.2/x64/src/runtime/panic.go:770 +0x132
github.com/zalando/skipper/filters/openpolicyagent.metaDataContextDoesNotExist(...)
	/home/runner/work/skipper/skipper/filters/openpolicyagent/evaluation.go:81
github.com/zalando/skipper/filters/openpolicyagent.setDecisionIdInRequest(0xc0006a7800, {0xc000047d80, 0x20})
	/home/runner/work/skipper/skipper/filters/openpolicyagent/evaluation.go:73 +0x68
github.com/zalando/skipper/filters/openpolicyagent.(*OpenPolicyAgentInstance).Eval(0xc00035ef00, {0x29db2d0, 0xc0006a77d0}, 0xc0006a7800)
	/home/runner/work/skipper/skipper/filters/openpolicyagent/evaluation.go:27 +0x2ac
github.com/zalando/skipper/filters/openpolicyagent.TestEval(0xc00071f380)
	/home/runner/work/skipper/skipper/filters/openpolicyagent/openpolicyagent_test.go:424 +0x3d5
testing.tRunner(0xc00071f380, 0x2764af8)
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1689 +0x21f
created by testing.(*T).Run in goroutine 1
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1742 +0x826

@JanardhanSharma JanardhanSharma requested a review from szuecs April 29, 2024 21:29
@JanardhanSharma
Copy link
Collaborator Author

@szuecs Could you may be add @mjungsbluth as reviewer as well, please. He can have a quick look as well.

@JanardhanSharma
Copy link
Collaborator Author 

 --- FAIL: TestEval (0.10s)
panic: runtime error: invalid memory address or nil pointer dereference [recovered]
	panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x22b9568]

goroutine 257 [running]:
testing.tRunner.func1.2({0x2486180, 0x34b9810})
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1631 +0x3f7
testing.tRunner.func1()
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1634 +0x6b6
panic({0x2486180?, 0x34b9810?})
	/opt/hostedtoolcache/go/1.22.2/x64/src/runtime/panic.go:770 +0x132
github.com/zalando/skipper/filters/openpolicyagent.metaDataContextDoesNotExist(...)
	/home/runner/work/skipper/skipper/filters/openpolicyagent/evaluation.go:81
github.com/zalando/skipper/filters/openpolicyagent.setDecisionIdInRequest(0xc0006a7800, {0xc000047d80, 0x20})
	/home/runner/work/skipper/skipper/filters/openpolicyagent/evaluation.go:73 +0x68
github.com/zalando/skipper/filters/openpolicyagent.(*OpenPolicyAgentInstance).Eval(0xc00035ef00, {0x29db2d0, 0xc0006a77d0}, 0xc0006a7800)
	/home/runner/work/skipper/skipper/filters/openpolicyagent/evaluation.go:27 +0x2ac
github.com/zalando/skipper/filters/openpolicyagent.TestEval(0xc00071f380)
	/home/runner/work/skipper/skipper/filters/openpolicyagent/openpolicyagent_test.go:424 +0x3d5
testing.tRunner(0xc00071f380, 0x2764af8)
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1689 +0x21f
created by testing.(*T).Run in goroutine 1
	/opt/hostedtoolcache/go/1.22.2/x64/src/testing/testing.go:1742 +0x826

fixed

mjungsbluth
mjungsbluth reviewed May 2, 2024
View reviewed changes
docs/tutorials/auth.md Outdated Show resolved Hide resolved
docs/tutorials/auth.md Outdated Show resolved Hide resolved
filters/openpolicyagent/evaluation.go Outdated Show resolved Hide resolved
filters/openpolicyagent/evaluation.go Outdated Show resolved Hide resolved
filters/openpolicyagent/evaluation.go Outdated Show resolved Hide resolved
filters/openpolicyagent/openpolicyagent_test.go Outdated Show resolved Hide resolved
@szuecs
Copy link
Member

szuecs commented May 6, 2024 

taticcheck -checks "all,-ST1000,-ST1003,-ST1012,-ST1020,-ST1021" ./...
Error: filters/openpolicyagent/openpolicyagent_test.go:18:2: package "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" is being imported more than once (ST1019)
Error: 	filters/openpolicyagent/openpolicyagent_test.go:19:2: other import of "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3"
make: *** [Makefile:138: staticcheck] Error 1
Error: Process completed with exit code 2.

duplicate import fixed
3c12e4b 
Signed-off-by: Janardhan Sharma <[email protected]>
handled error
aef72d0 
Signed-off-by: Janardhan Sharma <[email protected]>
review comments
3307de3 
Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma JanardhanSharma requested a review from szuecs May 10, 2024 11:08
@szuecs
Copy link
Member

szuecs commented May 14, 2024

👍

@JanardhanSharma
Copy link
Collaborator Author

@AlexanderYastrebov Could you please merge this please. This has been reviewed and approved long back, just left to be merged.

@AlexanderYastrebov
Copy link
Member

AlexanderYastrebov commented Jun 20, 2024
edited
Loading

@JanardhanSharma

Run make check-fmt
make: *** [Makefile:168: check-fmt] Error 1
Error: Process completed with exit code 2.

I think formatting needs to be fixed (via make fmt).

formatting fix
44f5105 
Signed-off-by: Janardhan Sharma <[email protected]>
@JanardhanSharma
Copy link
Collaborator Author

@JanardhanSharma

Run make check-fmt
make: *** [Makefile:168: check-fmt] Error 1
Error: Process completed with exit code 2.

I think formatting needs to be fixed (via make fmt).

fixed. Please go ahead.

@AlexanderYastrebov
Copy link
Member

👍

1 similar comment
@szuecs
Copy link
Member

szuecs commented Jun 24, 2024

👍

@szuecs szuecs merged commit 2a623a9 into zalando:master Jun 24, 2024
10 checks passed
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jun 27, 2024
@MustafaSaber
update skipper canary version
a473620 
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123

diff zalando/skipper@v0.21.124...v0.21.133
@MustafaSaber MustafaSaber mentioned this pull request Jun 27, 2024
Merged
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jun 27, 2024
@MustafaSaber
Merge pull request #7757 from zalando-incubator/skipper/update-canary…
2470e9a 
…-version

skipper: update canary version to v0.21.133

* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123

diff zalando/skipper@v0.21.124...v0.21.133
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jun 27, 2024
@MustafaSaber
skipper: update main fleet version to v0.21.133
cecb07a 
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123

diff zalando/skipper@v0.21.124...v0.21.133

depends on #7757
@MustafaSaber MustafaSaber mentioned this pull request Jun 27, 2024
Merged
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jun 27, 2024
@MustafaSaber
skipper: update main fleet version to v0.21.133
291e443 
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123

diff zalando/skipper@v0.21.124...v0.21.133

depends on #7757
AlexanderYastrebov added a commit that referenced this pull request Jul 2, 2024
@AlexanderYastrebov
Revert "Facilitate OPA decision correlation with business flows (#3041)"
9c3255d 
This reverts commit 2a623a9.

The code panics with:
```
fatal error: concurrent map writes
goroutine 191993 [running]:
github.com/zalando/skipper/filters/openpolicyagent.setDecisionIdInRequest(0x4004494720, {0x40067c6440?, 0x10?})
github.com/zalando/skipper/filters/openpolicyagent/evaluation.go:92 +0xe4
github.com/zalando/skipper/filters/openpolicyagent.(*OpenPolicyAgentInstance).Eval(0x40059ef400, {0x16b6bb0, 0x40044946c0}, 0x4004494720)
github.com/zalando/skipper/filters/openpolicyagent/evaluation.go:27 +0x164
github.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest.(*opaAuthorizeRequestFilter).Request(0x4002234520, {0x16ccd90, 0x40091ca100})
github.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go:131 +0x1a4
```

Signed-off-by: Alexander Yastrebov <[email protected]>
AlexanderYastrebov added a commit that referenced this pull request Jul 2, 2024
@AlexanderYastrebov
Revert "Facilitate OPA decision correlation with business flows (#3041)…
44fd905 
…" (#3138)

This reverts commit 2a623a9.

The code panics with:
```
fatal error: concurrent map writes
goroutine 191993 [running]:
github.com/zalando/skipper/filters/openpolicyagent.setDecisionIdInRequest(0x4004494720, {0x40067c6440?, 0x10?})
github.com/zalando/skipper/filters/openpolicyagent/evaluation.go:92 +0xe4
github.com/zalando/skipper/filters/openpolicyagent.(*OpenPolicyAgentInstance).Eval(0x40059ef400, {0x16b6bb0, 0x40044946c0}, 0x4004494720)
github.com/zalando/skipper/filters/openpolicyagent/evaluation.go:27 +0x164
github.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest.(*opaAuthorizeRequestFilter).Request(0x4002234520, {0x16ccd90, 0x40091ca100})
github.com/zalando/skipper/filters/openpolicyagent/opaauthorizerequest/opaauthorizerequest.go:131 +0x1a4
```

Signed-off-by: Alexander Yastrebov <[email protected]>
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jul 2, 2024
@MustafaSaber
skipper: update main fleet version to v0.21.139
59807a3 
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123
* Revert "Facilitate OPA decision correlation with business flows (#3041)": zalando/skipper#3138
* build(deps): bump docker/build-push-action from 6.1.0 to 6.2.0: zalando/skipper#3134
* dependabot: group GoLang dependencies update: zalando/skipper#3136
* build(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.66.0: zalando/skipper#3135
* build(deps): bump amazonlinux from `b0016cb` to `5bf7910` in /fuzz: zalando/skipper#3133
* metrics: refactor prometheus metric registration: zalando/skipper#3132

diff zalando/skipper@v0.21.124...v0.21.139

depends on #7786
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jul 2, 2024
@MustafaSaber
skipper: update main fleet version to v0.21.139
9847f31 
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123
* Revert "Facilitate OPA decision correlation with business flows (#3041)": zalando/skipper#3138
* build(deps): bump docker/build-push-action from 6.1.0 to 6.2.0: zalando/skipper#3134
* dependabot: group GoLang dependencies update: zalando/skipper#3136
* build(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.66.0: zalando/skipper#3135
* build(deps): bump amazonlinux from `b0016cb` to `5bf7910` in /fuzz: zalando/skipper#3133
* metrics: refactor prometheus metric registration: zalando/skipper#3132

diff zalando/skipper@v0.21.124...v0.21.139

depends on #7786
MustafaSaber added a commit to zalando-incubator/kubernetes-on-aws that referenced this pull request Jul 2, 2024
@MustafaSaber
skipper: update main fleet version to v0.21.139
eaaf541 
* build(deps): bump alpine from `77726ef` to `b89d9c9` in /packaging: zalando/skipper#3122
* build(deps): bump docker/build-push-action from 5.4.0 to 6.1.0: zalando/skipper#3124
* build(deps): bump amazonlinux from `0d172f8` to `b0016cb` in /fuzz: zalando/skipper#3125
* Facilitate OPA decision correlation with business flows: zalando/skipper#3041
* config: fix defaultFiltersFlags.String: zalando/skipper#3127
* config: fix defaultFiltersFlags yaml test case: zalando/skipper#3128
* filters/auth: add token validator filter: zalando/skipper#3126
* metrics: register skipper_filter_create_duration_seconds: zalando/skipper#3129
* cmd/skipper: allow exclusion of insecure cipher suites: zalando/skipper#3123
* Revert "Facilitate OPA decision correlation with business flows (#3041)": zalando/skipper#3138
* build(deps): bump docker/build-push-action from 6.1.0 to 6.2.0: zalando/skipper#3134
* dependabot: group GoLang dependencies update: zalando/skipper#3136
* build(deps): bump github.com/open-policy-agent/opa from 0.65.0 to 0.66.0: zalando/skipper#3135
* build(deps): bump amazonlinux from `b0016cb` to `5bf7910` in /fuzz: zalando/skipper#3133
* metrics: refactor prometheus metric registration: zalando/skipper#3132

diff zalando/skipper@v0.21.124...v0.21.139

depends on #7786
@AlexanderYastrebov AlexanderYastrebov mentioned this pull request Jul 23, 2024
Merged
@MustafaSaber MustafaSaber mentioned this pull request Aug 1, 2024
Closed
@zalando-teapot-robot zalando-teapot-robot mentioned this pull request Sep 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Pushpalanka Pushpalanka Pushpalanka left review comments

@mjungsbluth mjungsbluth Awaiting requested review from mjungsbluth

@szuecs szuecs Awaiting requested review from szuecs

Assignees
No one assigned
Labels
minor no risk changes, for example new filters
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@JanardhanSharma @szuecs @AlexanderYastrebov @Pushpalanka @mjungsbluth