Skip to content

Add external Policy Decision Point for Authorization#1170

Merged
danielballan merged 5 commits intomainfrom
add-opa
Dec 17, 2025
Merged

Add external Policy Decision Point for Authorization#1170
danielballan merged 5 commits intomainfrom
add-opa

Conversation

@ZohebShaikh
Copy link
Contributor

@ZohebShaikh ZohebShaikh commented Sep 26, 2025
edited
Loading

Checklist

  • Add a Changelog entry
  • Add the ticket number which this PR closes to the comment section

@ZohebShaikh ZohebShaikh changed the title Add opa Add external Policy Decision Point for Authorization Oct 1, 2025
Base automatically changed from allow-bearer-access-token to main October 15, 2025 17:06
DiamondJoseph
DiamondJoseph previously requested changes Nov 18, 2025
View reviewed changes
@DiamondJoseph
Copy link
Contributor

DiamondJoseph commented Nov 20, 2025

We're aiming to try this out on our test beamline today 🤞
We're deploying OPA with some additional policies we need to add to make this work (the endpoints in the AccessPolicy), and Tiled built from this branch behind the oauth2_proxy service (although it is squatting on another service's DNS)

danielballan
danielballan reviewed Nov 24, 2025
View reviewed changes
Copy link
Member

@danielballan danielballan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How did your local test go?

@nmaytan took a look at this and have some quick comments.

example_configs/keycloak_oidc/policy/rbac/rbac.rego Outdated
"read:data",
"write:data",
"read:metadata",
"write:metadata",
Copy link
Member

@danielballan danielballan Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the intent here to make public nodes world-writable? Generally I would expect world-readable, but not world-writable.

Copy link
Contributor Author

@ZohebShaikh ZohebShaikh Nov 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I will refactor it to make it more clear but the intent is to make public tag world readable

The root node currently is world readable and when a user comes with a tag that allows them to write to this public node can write to it

example_configs/keycloak_oidc/policy/rbac/rbac.rego Outdated
],
"public": [
"read:data",
"write:data",
Copy link
Member

@danielballan danielballan Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This tag configures what unauthenticated requests can do. Generally I would expect those would never be allowed to write (or create, register, delete).

tiled/access_control/access_policies.py Outdated
result: Union[List[str], bool]


class ExternalPolicyDecisionPoint(AccessPolicy):
Copy link
Member

@danielballan danielballan Nov 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nmaytan and I wonder if the TagBasedAccessPolicy could be reused, using the tag_parser argument to inject OPA-specific integration (_get_external_decision). Most of the AccessPolicy interface will be the same across our local solution, OPA, OpenFGA, and others. The TagParser abstraction might be a more tightly-scoped way of injecting framework-specific integration.

Nate will aim to find the bandwidth to implement this suggestion as a PR into your PR. But I mention this now in case you have any immediate thoughts on this.

Copy link
Contributor Author

@ZohebShaikh ZohebShaikh Nov 27, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be a good thing to use the tag_parser but the only thing that concerns me is There are lots of authZ that happens in Tiled ,example

"Cannot apply empty tag list to node: only Tiled admins can apply an empty tag list."

But when you look at the ExternalPolicy it does not checks and just delegates everything to AuthZ to decide ,which I think makes it cleaner separation of concerns

@DiamondJoseph DiamondJoseph changed the base branch from main to fork-publish November 28, 2025 13:28
DiamondJoseph
DiamondJoseph reviewed Nov 28, 2025
View reviewed changes
DiamondJoseph
DiamondJoseph reviewed Dec 8, 2025
View reviewed changes
tiled/access_control/dls.py Outdated
Comment on lines 34 to 36
"session/write_to_beamline_visit",
"session/user_sessions",
"tiled/scopes",
Copy link
Contributor

@DiamondJoseph DiamondJoseph Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The user_sessions and tiled/scopes queries are added in this PR DiamondLightSource/authz#293 which is in review. Internally we have to answer exactly what the route to the queries are, so it may be worth removing this from the generic functionality PR into a later Diamond implementation PR?

Could also allow us to decide where non-NSLS facility specific code should live?

@ZohebShaikh ZohebShaikh changed the base branch from fork-publish to main December 12, 2025 15:07
@ZohebShaikh ZohebShaikh dismissed DiamondJoseph’s stale review December 12, 2025 15:22

Joseph has left diamond

@danielballan
Copy link
Member

danielballan commented Dec 16, 2025

Plan:

  1. @ZohebShaikh will remove dls.py which can live in local config (put on the PYTHONPATH).
  2. @danielballan will merge and release a beta by end of US workday on Wednesday.
  3. 🎄
  4. Evaluate whether we can consolidate on one plugin interface (i.e. build_input + _get_external_decision versus tag_parser). This should enable us to share implementations of init_node, modify_node, and filter.
  5. Decide, item by item, how much of the authorization logic in the TagParser would be better delegated to an external system: OPA or NSLS-II own's homegrown (temporary) authorization system.
  6. Consider whether custom integrations with authorization systems should plug in to Tiled by implementing a custom AccessPolicy class, or whether they should all use the same Tiled AccessPolicy and inject customizations some other way (e.g tag_parser).

@danielballan
Copy link
Member

danielballan commented Dec 16, 2025

Some merge conflicts were introduced when I merged #1244. Would you mind resolving these, @ZohebShaikh? Then we can merge/release.

@danielballan
Copy link
Member

danielballan commented Dec 17, 2025

Test failure is flaky/unrelated.

@danielballan danielballan merged commit b098863 into main Dec 17, 2025
11 of 12 checks passed
@ZohebShaikh ZohebShaikh deleted the add-opa branch January 3, 2026 03:17
ZohebShaikh added a commit that referenced this pull request Feb 21, 2026
@ZohebShaikh
Add external Policy Decision Point for Authorization (#1170)
8e4d30d 
* add external policy decision point

* update access_policy test

* Remove dls specific policy

* Add docs for policy
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DiamondJoseph DiamondJoseph DiamondJoseph left review comments

@danielballan danielballan danielballan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ZohebShaikh @DiamondJoseph @danielballan