Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Information request about store type #153

Closed
floriangasc opened this issue Oct 16, 2021 · 12 comments
Closed

Information request about store type #153

floriangasc opened this issue Oct 16, 2021 · 12 comments

Comments

@floriangasc
Copy link

floriangasc commented Oct 16, 2021
edited
Loading

What do you thing to add a new disk store type (an addition of mock and opa) ?
(sorry for my english in advance)

context

  1. I found simple/and much powerful to use the watch file option of opa than pass by api/put request for store data.
  2. Our (old) bundler create a bundle (archive with rego policy and json data).
  3. When we found your projet i start to implement a custom fetcher
  4. but, unless I missed something, watch feature seem's more easier because there is less temporal coupling: no matter in what order opa/opa-client (re) start .(And there is some other property, like no network, bundle properties).

problem

  1. Solve (re) start order problem opa/opal-client
  2. Easier initial state

inference

  1. Actually there only two store types that is opa server it self and the mock.
  2. Add new store type for that will allow new integration opa/opal-client: disk
  3. disk can be mounted/prefil/etc: initial state natural/natif/interinsec
  4. opa watch option is really great for update opa with new policy data
  5. bundle have a nice property of location decoupling: (a) the archive can be move easly everywhere, (b) single artifact that contain policy an data, (c) immutable

solution

for now, our old code is invoked into a custom fetcher, but it could be great to have something more clean

According my actual investigation, i suppose the code is to be located into opal_client/policy_store/. i think, a new store, disk_store, can be added.

Conclusion

If and/or about 3 assertions :

  1. you are interested about this,
  2. my suggestion is not to bad
  3. i missed nothing

then

i can try to make a P.R

PS:

  1. in our world, we use mainly kubernetes, and policy is put in config map , but with your project i start investigate a git repo synchronisation (instead of config map).
  2. For the bundle creation, in opal-client, i think (? naively ?) when data change we can get last policies, and when policies change, we can last data so bundle is every time up to date.
  3. the old bundler: get policy from configmap and get data from db, then put in bundle.tgz

Thanks in advance.
@orweis
Copy link
Contributor

orweis commented Oct 16, 2021

Hi @floriangasc, thank you for your post :)

I'll discuss this with @asafc when he returns from his vacation next week, and get back to you ;)

@orweis
Copy link
Contributor

orweis commented Oct 17, 2021
edited
Loading

Hi @floriangasc :) Would it be possible to find some time to talk more about this over Zoom?
We'd love to dive a little deeper here with you.
If relevant - You can grab some time here: https://calendly.com/authorizon/meeting

@floriangasc
Copy link
Author

floriangasc commented Oct 18, 2021
edited
Loading

Hi @orweis.

Great. Yes it's possible. I hope tomorrow i have better planing visibility. I come back to you as soon as possible.

@orweis
Copy link
Contributor

orweis commented Oct 20, 2021

Hi @floriangasc just surfacing this back up.

@floriangasc
Copy link
Author

@orweis

The task priority of this week don't give me enough time for this. But the begining of the next week should be ok for me. It's an important subject for us.

More over, i would try something on development environment before our meeting.

@floriangasc
Copy link
Author

floriangasc commented Oct 25, 2021
edited
Loading

Hi,
@orweis

I have continue my investigation of data management in the OPA world.

First phase:

reasearch

I have found some interesting facts:
open-policy-agent/opa#2589 : patrick-east: said watch is not disgn for production :(. That invalidate this issue.

So i look to «how handle bundle update ? » then i found the second list of facts:

learning

In same time i have put opal server and opal client (custom fetcher) in development environment (k8s). It's confirm there is little temporal coupling problem and total bootstrap time issue

Conclusion

I have make a little decision tree:


                                          bundle vs opal
                               /                                   \
             bundle (native)                                    opal (extern)
          /         |          \                                          |
polling    long polling    reactive                                    reactive

source reactivity:

source long polling

partial update

second phase

try and learning long polling

I have test on my pc, opa long polling:

  • i already have code for bundling (because before ram problem occured) we use polling provided by opa.
  • For poc, with 50 line of code in bundle server (openresty) it's seem's give good result.
  • I continue reflexion and investigation, look good and promising.
  • But missing a partial update (delta bundle) that is not merged.

Remain some reflexion, but the long polling seem's a good solution for us

  • bundle property
  • less server/piece of infra
  • more fast to boostrap: only opa involve.

opal: a new integration way ?

  • if not use «--watch» but trigger function (plugin), this issue could be change for add new integration between opal and opa: bundle.
  • But because it's not documented,and probably unofficial: i don't known if it's the right time for this.
  • Pluging seem's not a to time consuming to develop/maintain: the results are worth it ?
  • In opal case : remain a little sync problem between data and policies : because of decoupling, for generate bundle, have to couple data/and policies (get latest policies if data change, and get latest data ifi policies change).

conlusion

  • In all case, the subject of this issue is wrong/bad because «--watch» option is mainly designed for development not production environment.
  • May be my research can help some one.

If you have any questions, don't hesitate. If you want to make a meeting no problem (i have very bad english !!!)

Thanks for all again.

@asafc
Copy link
Contributor

asafc commented Oct 26, 2021
edited
Loading

Hi @floriangasc :)

OPA bundles are indeed great for some use cases - and the project maintainers are headed in the right direction with delta bundles and long polling. If OPA bundles solve your use case - you should definitely use them! We are OPA fans as well :)

OPAL was designed specifically for live applications with high update frequency with small diffs - which is common with most cloud native apps. OPAL has a few more benefits like the pub/sub model and the high granularity you can gain from topics. For example - if each client needs a slightly different policy and data. We also allow you to scale OPA horizontally with topic sharding to avoid the hard caps on memory per agent.

We would love to zoom with you and learn a bit more about your use case.
Feel free to book a meeting with us by clicking this link.

@asafc asafc closed this as completed Oct 26, 2021
@floriangasc
Copy link
Author

floriangasc commented Oct 27, 2021
edited
Loading

Hi @asafc ,

I have create a meeting for 2 november at 10h.

According what we do, bundle and topic are very close: We have one bundle by application/service (ingress gateway, quote service, idp, and so on). But we can talk about more on the meeting.

I am not sure bundle will be a final solution. At this time, for our problem, it seems must simpler because

  1. the state is well known unlike incremental update.
  2. fastest bootstrap
  3. less coupling at runtime
  4. for ram we use opa disk store that help great (not unlock officially, but seem's give good result on our development environement).

The it's not prefect and opal model seem's very good. Moreover it's important to differentiate the next step and the long road/life cycle of this kind of solution (our need evolve quickly). Opal and bundle are not incompatible, on opal provide a lot of option out of box.

@floriangasc
Copy link
Author

floriangasc commented Nov 2, 2021
edited
Loading

@asafc i have book a meething for today at 10h. But it is not in my candly.

  1. It's ok for you ?
  2. or i have to schedule another ?

@asafc
Copy link
Contributor

asafc commented Nov 2, 2021
edited
Loading

Hi @floriangasc i see the invite but it appears on 11am my time. Is one hour from now ok for you?

@floriangasc
Copy link
Author

Perfect :)

@asafc
Copy link
Contributor

asafc commented Nov 2, 2021

Hey @floriangasc i am waiting for you on this link:
https://us02web.zoom.us/j/83071377839

i think you are the host

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@orweis @asafc @floriangasc