In order to configure policy, user supposed to write policy in rego format and push the policy to github repository.
Then the github repository should be mentioned on the controlplane config file.
sample controlplane config with policy_repo
postgres_host: "streak-production-final.cyym8n3wehdv.ap-south-1.rds.amazonaws.com"
postgres_port: "5432"
database_name: "inspektor"
postgres_username: "postgres"
postgres_password: "asdfasdfasdfasdf"
jwt_key: "caslkdmcalsmdfqd123134234"
policy_repo: "https://github.com/Streak-Tech/datapolicy.git"
github_access_token: "xxxxxxxxxxxxxxxxx"
policy_repo
property will point to the policy repository.
if you are using private repository then you must provide github_access_token
,
which can be retrived by following this link
in you github repository, create a file called policy.rego
and paste the following policy
package inspektor.resource.acl
default allow = false
default protected_attributes = []
default allowed_attributes = []
role_permission := {
"support": [{"postgres-prod": { "insert": {"allowed": false, "allowed_attributes": {"postgres.public.kits"}},
"update": {"allowed": true, "allowed_attributes": {
"prod.public.claimed_items.delivered",
"prod.public.claimed_items.shipped",
}},
"copy": {
"allowed": true, "allowed_attributes": {
"prod.public.shipment_trackings",
"prod.public.coupon_items",
},
"protected_attributes": {},
},
"view": {"allowed": true, "protected_attributes": {"prod.public.kits"}},
}}],
"dev": [{"postgres-prod": {
"insert": {"allowed": false, "allowed_attributes": {"postgres.public.kits"}},
"update": {"allowed": true, "allowed_attributes": {
"streakproduction.public.claimed_items.shipped",
"streakproduction.public.claimed_items.delivered",
"ftlc.users",
"streakproduction.public.kids.gender",
"streakproduction.public.system_configs",
"prod.public.system_configs",
}},
"copy": {
"allowed": true, "allowed_attributes": {
"streakproduction.public.shipment_trackings",
"streakproduction.public.coupon_items",
},
"protected_attributes": {},
},
"view": {"allowed": true, "protected_attributes": {"streakproduction.email"}},
}}]
}
allow {
permissions[_].allowed
}
allowed_attributes = union(attributes) {
attributes := {attribute | attribute := permissions[_].allowed_attributes}
}
protected_attributes = union(attributes) {
attributes = {attributes | attributes := permissions[_].protected_attributes}
}
permissions[permission] {
permission = resources[_][input.datasource][input.action]
}
resources[resource] {
resource = role_permission[input.groups[_]][_]
}
In the above policy, we have a variable called role_permission
that holds the permission for each role.
simplified version of role_permission
would look like this
role_permission := {
"support": [
{
"postgres-prod": {
"insert": {"allowed": false, "allowed_attributes": {}},
"update": {"allowed": true, "allowed_attributes": {
"prod.public.claimed_items.delivered",
"prod.public.claimed_items.shipped",
}},
"copy": {"allowed": true, "allowed_attributes": {
"prod.public.shipment_trackings",
"prod.public.coupon_items"},
"protected_attributes": {}},
"view": {"allowed": true, "protected_attributes": {"prod.public.kits"}},
}}],
}
in role_permissions
set, we have defined that support
role have access to postgres-prod
datasource, with following permission
- insert is not
allowed
- update is allowed for the following properties
"prod.public.claimed_items.delivered","prod.public.claimed_items.shipped"
- view (SELECT QUERY) is allowed but hides the following property
prod.public.kits
prod.public.claimed_items.delivered
defines prod
database, public
schema , claimed_items
table and delivered
columns.