Policy Mangement Service #174
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
setrofim
force-pushed
the
setrofim
branch
2 times, most recently
from
0829c96 to
9856c2a
Compare
|
Added a commit replacing |
Thanks! |
Allow forwarding a port of the debug container stated with `make debug` by setting the DEBUG_PORT environment variable to the value of the port to be forwarded. Signed-off-by: Sergei Trofimov <[email protected]>
Clear Veraison stores between tests, ensuring each test starts from a clean slate and is thus guaranteed to be independent of the preceding tests. Signed-off-by: Sergei Trofimov <[email protected]>
The template was missing the mandatory "profile" entry, resulting in failing provisioning. This was obscured by the previous test case that was successfully provisioning using the full template, when the provisioned stores were not cleared between tests. Signed-off-by: Sergei Trofimov <[email protected]>
- Make media-types entry inside well-known info optional. - Add optional attestation-schemes entry. Current services continue to report media types and omit schemes, reporting the same info as before. This change is intended to support the coming management service. Signed-off-by: Sergei Trofimov <[email protected]>
Add methods to create an io.Writer associated with a named logger. Signed-off-by: Sergei Trofimov <[email protected]>
"Policy" as defined by the RATS architecture[1], and, therefore, the ear.appraisal-policy-id entry n EAR[2], maps onto the combination of attestation scheme and policy in Veraison. This means that, when a policy is not used, the ear.appraisal-policy-id field should be set to reflect the attestation scheme. If a policy is used, the field should be set to reflect both, the scheme and the policy. Additionally, up to this point, the policy manager allowed only one active policy per tenant. Differentiation between schemes, if necessary, could be performed within the policy rules. This commit changes this so that the polices are now managed based on both, the tenant and the scheme. This means that policies for different schemes can be updated independently by the tenant. [1]: https://datatracker.ietf.org/doc/html/draft-ietf-rats-architecture-05 [2]: https://www.rfc-editor.org/rfc/internet-drafts/draft-fv-rats-ear-00.html Signed-off-by: Sergei Trofimov <[email protected]>
Add a method to validate the policy rules without actually evaluating them against a particular input. For OPA, this validation amounts to a syntax check of the specified rules. This is intended for use by the forthcoming policy management API implementation. Signed-off-by: Sergei Trofimov <[email protected]>
Use Veraison logging framework for logging OPA engine output. Signed-off-by: Sergei Trofimov <[email protected]>
Add a method to retrieve the names of attestation schemes implemented by registered plugins. Signed-off-by: Sergei Trofimov <[email protected]>
Add a new service node, "management". Implement API for updating and querying policies via this node. Signed-off-by: Sergei Trofimov <[email protected]>
- Remove policy/cmd/polcli - the policy client that operated directly on the underlying stores. - Within the docker deployment, replace it with pocli (separate package) that operates on top of the management REST API. Signed-off-by: Sergei Trofimov <[email protected]>
yogeshbdeshpande
approved these changes
Jul 26, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Initial implementation of policy management REST API, implemented as a separate service node.