In order to configure policy, user supposed to write policy in rego format and push the policy to github repository.
Then the github repository should be mentioned on the controlplane config file.
sample controlplane config with policy_repo
postgres_host: "streak-production-final.cyym8n3wehdv.ap-south-1.rds.amazonaws.com"
postgres_port: "5432"
database_name: "inspektor"
postgres_username: "postgres"
postgres_password: "asdfasdfasdfasdf"
jwt_key: "caslkdmcalsmdfqd123134234"
policy_repo: "https://github.com/Streak-Tech/datapolicy.git"
github_access_token: "xxxxxxxxxxxxxxxxx"
policy_repo property will point to the policy repository.
if you are using private repository then you must provide github_access_token,
which can be retrived by following this link
in you github repository, create a file called policy.rego and paste the following policy
package inspektor.resource.acl
default allow = false
default protected_attributes = []
default allowed_attributes = []
role_permission := {
"support": [{"postgres-prod": { "insert": {"allowed": false, "allowed_attributes": {"postgres.public.kits"}},
"update": {"allowed": true, "allowed_attributes": {
"prod.public.claimed_items.delivered",
"prod.public.claimed_items.shipped",
}},
"copy": {
"allowed": true, "allowed_attributes": {
"prod.public.shipment_trackings",
"prod.public.coupon_items",
},
"protected_attributes": {},
},
"view": {"allowed": true, "protected_attributes": {"prod.public.kits"}},
}}],
"dev": [{"postgres-prod": {
"insert": {"allowed": false, "allowed_attributes": {"postgres.public.kits"}},
"update": {"allowed": true, "allowed_attributes": {
"streakproduction.public.claimed_items.shipped",
"streakproduction.public.claimed_items.delivered",
"ftlc.users",
"streakproduction.public.kids.gender",
"streakproduction.public.system_configs",
"prod.public.system_configs",
}},
"copy": {
"allowed": true, "allowed_attributes": {
"streakproduction.public.shipment_trackings",
"streakproduction.public.coupon_items",
},
"protected_attributes": {},
},
"view": {"allowed": true, "protected_attributes": {"streakproduction.email"}},
}}]
}
allow {
permissions[_].allowed
}
allowed_attributes = union(attributes) {
attributes := {attribute | attribute := permissions[_].allowed_attributes}
}
protected_attributes = union(attributes) {
attributes = {attributes | attributes := permissions[_].protected_attributes}
}
permissions[permission] {
permission = resources[_][input.datasource][input.action]
}
resources[resource] {
resource = role_permission[input.groups[_]][_]
}In the above policy, we have a variable called role_permission that holds the permission for each role.
simplified version of role_permission would look like this
role_permission := {
"support": [
{
"postgres-prod": {
"insert": {"allowed": false, "allowed_attributes": {}},
"update": {"allowed": true, "allowed_attributes": {
"prod.public.claimed_items.delivered",
"prod.public.claimed_items.shipped",
}},
"copy": {"allowed": true, "allowed_attributes": {
"prod.public.shipment_trackings",
"prod.public.coupon_items"},
"protected_attributes": {}},
"view": {"allowed": true, "protected_attributes": {"prod.public.kits"}},
}}],
}in role_permissions set, we have defined that support role have access to postgres-prod datasource, with following permission
- insert is not
allowed - update is allowed for the following properties
"prod.public.claimed_items.delivered","prod.public.claimed_items.shipped" - view (SELECT QUERY) is allowed but hides the following property
prod.public.kits
prod.public.claimed_items.delivered defines prod database, public schema , claimed_items table and delivered columns.