应用开放策略代理 (OPA) 策略

使用中间件对传入的请求应用开放策略代理(OPA)策略。

The Open Policy Agent (OPA) HTTP middleware applys OPA Policies to incoming Dapr HTTP requests. 这可以用来将可重用的授权策略应用到应用终结点。

配置

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Component
  3. metadata:
  4.   name: my-policy
  5.   namespace: default
  6. spec:
  7.   type: middleware.http.opa
  8.   version: v1
  9.   metadata:
  10.     # `includedHeaders` is a comma-separated set of case-insensitive headers to include in the request input.
  11.     # Request headers are not passed to the policy by default. Include to receive incoming request headers in
  12.     # the input
  13.     - name: includedHeaders
  14.       value: "x-my-custom-header, x-jwt-header"
  16.     # `defaultStatus` is the status code to return for denied responses
  17.     - name: defaultStatus
  18.       value: 403
  20.     # `rego` is the open policy agent policy to evaluate. required
  21.     # The policy package must be http and the policy must set data.http.allow
  22.     - name: rego
  23.       value: |
  24.         package http
  26.         default allow = true
  28.         # Allow may also be an object and include other properties
  30.         # For example, if you wanted to redirect on a policy failure, you could set the status code to 301 and set the location header on the response:
  31.         allow = {
  32.             "status_code": 301,
  33.             "additional_headers": {
  34.                 "location": "https://my.site/authorize"
  35.             }
  36.         } {
  37.             not jwt.payload["my-claim"]
  38.         }
  40.         # You can also allow the request and add additional headers to it:
  41.         allow = {
  42.             "allow": true,
  43.             "additional_headers": {
  44.                 "x-my-claim": my_claim
  45.             }
  46.         } {
  47.             my_claim := jwt.payload["my-claim"]
  48.         }
  49.         jwt = { "payload": payload } {
  50.             auth_header := input.request.headers["authorization"]
  51.             [_, jwt] := split(auth_header, " ")
  52.             [_, payload, _] := io.jwt.decode(jwt)
  53.         }

您可以使用 官方 opa playground对策略进行原型设计和实验。 例如,您可以在这里找到上面的示例策略

元数据字段规范

字段详情Example
regoRego策略语言见上文
defaultStatus状态码返回拒绝的响应https://accounts.google.com, https://login.salesforce.com
includedHeaders一组以逗号分隔的不区分大小写的头信息,包含在请求输入中。 默认情况下,请求头不会传递给策略。 在输入中包含接收传入的请求头。“x-my-custom-header, x-jwt-header”

Dapr配置

To be applied, the middleware must be referenced in configuration. See middleware pipelines.

  1. apiVersion: dapr.io/v1alpha1
  2. kind: Configuration
  3. metadata:
  4.   name: appconfig
  5. spec:
  6.   httpPipeline:
  7.     handlers:
  8.     - name: my-policy
  9.       type: middleware.http.opa

输入

这个中间件提供了一个 HTTPRequest 作为输入。

HTTP请求

HTTPRequest 输入包含所有关于传入HTTP请求的透彻信息,但它的正文除外。

  1. type Input struct {
  2.   request HTTPRequest
  3. }
  5. type HTTPRequest struct {
  6.   // The request method (e.g. GET,POST,etc...)
  7.   method string
  8.   // The raw request path (e.g. "/v2/my-path/")
  9.   path string
  10.   // The path broken down into parts for easy consumption (e.g. ["v2", "my-path"])
  11.   path_parts string[]
  12.   // The raw query string (e.g. "?a=1&b=2")
  13.   raw_query string
  14.   // The query broken down into keys and their values
  15.   query map[string][]string
  16.   // The request headers
  17.   // NOTE: By default, no headers are included. You must specify what headers
  18.   // you want to receive via `spec.metadata.includedHeaders` (see above)
  19.   headers map[string]string
  20.   // The request scheme (e.g. http, https)
  21.   scheme string
  22. }
  23.   method string
  24.   // The raw request path (e.g. "/v2/my-path/")
  25.   path string
  26.   // The path broken down into parts for easy consumption (e.g. ["v2", "my-path"])
  27.   path_parts string[]
  28.   // The raw query string (e.g. "?a=1&b=2")
  29.   raw_query string
  30.   // The query broken down into keys and their values
  31.   query map[string][]string
  32.   // The request headers
  33.   // NOTE: By default, no headers are included. You must specify what headers
  34.   // you want to receive via `spec.metadata.includedHeaders` (see above)
  35.   headers map[string]string
  36.   // The request scheme (e.g. http, https)
  37.   scheme string
  38. }

结果

策略必须设置 data.http.allow 带有 boolean 值或者一个 object 值与一个 allow 布尔属性。 true allow 将允许请求 当一个 false 值将以 defaultStatus 指定的状态拒绝请求。 下面的策略,在默认情况下,演示了对所有请求的 403 - Forbidden:

  1. package http
  3. default allow = false

等价于:

  1. package http
  3. default allow = {
  4.   "allow": false
  5. }

更改拒绝的响应状态代码

拒绝请求时,您可以覆盖返回的状态代码。 例如,如果您想退回 401 而不是 403,你可以这样做:

  1. package http
  3. default allow = {
  4.   "allow": false,
  5.   "status_code": 401
  6. }

添加响应头

若要重定向,添加消息头并将 status_code 设置为返回的结果:

  1. package http
  3. default allow = {
  4.   "allow": false,
  5.   "status_code": 301,
  6.   "additional_headers": {
  7.     "Location": "https://my.redirect.site"
  8.   }
  9. }

添加请求头

你也可以在允许的请求上设置额外的头信息:

  1. package http
  3. default allow = false
  5. allow = { "allow": true, "additional_headers": { "X-JWT-Payload": payload } } {
  6.   not input.path[0] == "forbidden"
  7.   // Where `jwt` is the result of another rule
  8.   payload := base64.encode(json.marshal(jwt.payload))
  9. }

结果结构

  1. type Result bool
  2. // or
  3. type Result struct {
  4.   // Whether to allow or deny the incoming request
  5.   allow bool
  6.   // Overrides denied response status code; Optional
  7.   status_code int
  8.   // Sets headers on allowed request or denied response; Optional
  9.   additional_headers map[string]string
  10. }

相关链接