-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new capability to set a platform mode
#1033
Comments
This looks wise. I have a couple questions:
If the platform has a new service added to its |
Yeah, I kind of snuck it in there. Right now, each service has its own credentials config. But when we're running everything together, it doesn’t really make sense for each service to have its own separate By defining a global |
I think they will be extensible if we keep Services as a map.
Each key in the map could be considered a mode is how I was thinking about it. I think we probably need to try and implement this to really shake the config proposal changes out. |
In my mind the core is the service which you reach out to for networking info. So if a PEP is running in the core that is fine but it will just use the SDK to reach out to the other systems and the platform will negotiate that based on the remotes. If you run the PEP in a microservice it will require knowledge of the core, but that's it. Might be a bit costly to call the core to then be directed to a remote KAS but that's fine for now. Less complexity than having to manage all the URLs of every microservice deployment. |
I don’t think it will be expensive. We already call the platform when creating a new client to get IDP information, and there are always optimizations we can implement in the future. The only other static endpoint, in my mind, would be the authorization service. KAS endpoints will be more dynamic, driven by core policy, so clients will have to reach out to get a full attribute value definition. @jrschumacher Are you suggesting we create a root-level config for core_endpoint or platform_endpoint? |
This pull request helps address #1033 and introducing the concept of a mode. Currently we are starting `opa` for every service. When in practice it is only consumed by the authorization service that is dependent on executing the `rego` policy. In this update, I have removed OPA and instead directly eval the Rego policy, which can be either embedded or passed in via configuration. Until we have clear use cases for the additional management functionality that OPA provides, we can focus on just executing our entitlements policy.
This pr resolves #1033 It introduces two new config values `mode` and `sdk_config` at the root level. It also removes the `enabled` field on a service. Mode now takes a list which could be `all`, `core` or a specific namespaced service for example `kas`. You can also combine modes like `core,kas`. When running in something other than `core` or `all` you are required to specify a `sdk_config` object. This is because the core services will be remote now and not over the internal IPC server.
Currently, when running the platform, we need to explicitly set whether a service is enabled. This works, but as we start to look at running a service like
KAS
independently, we need to consider how to manage this configuration more efficiently. It will become cumbersome if every service within the platform needs to be individually enabled or disabled.Additionally, not every service requires the same tooling. For example,
KAS
does not needopa
, yetopa
is created regardless of the platform configuration.platform/service/pkg/server/start.go
Lines 64 to 69 in c3828d0
First, we need to define what constitutes the core platform.
Core Platform:
The two other services that aren't part of the core are:
Authorization Service
Key Access Service (KAS)
If we agree that these are the main services, we can define the following modes:
As users potentially need to extend or build on top of OpenTDF they could also potentially need to define their own modes as well. This gives us the ability to provide that. So as they add new services under
services
that will essentially become a mode.Current configuration looks something like this where each service is explicitly defined under the services block.
platform/opentdf-dev.yaml
Lines 11 to 39 in c3828d0
In the new approach, the
enabled
field would be removed as everything would be driven by themode
.https://github.com/opentdf/platform/blob/main/service/pkg/serviceregistry/serviceregistry.go#L22
We wouldn't be required to set defaults for those services like we do today.
https://github.com/opentdf/platform/blob/main/service/internal/config/config.go#L27
Example All Mode
Example Core Mode
Example KAS Mode
As an alternative to having a root-level
remote_services
block, we could also consider the following configuration, although it might be more confusing:The text was updated successfully, but these errors were encountered: