Comments (7)
Thanks @spacedub!
I think there's basically two approaches:
- Provide a policy to Ghostunnel at startup. We load the policy using the OPA runtime library and execute it in-process, this yields lower latency (no context switch) but less flexibility.
- We let Ghostunnel talk to the OPA REST API (specifically the Query API). This is a bit more flexible, you can reload policies, change it on the fly, etc. by restarting your OPA server. But it adds extra latency and context switching.
from ghostunnel.
I'm a big fan of OPA, I think this would be neat. I'm not entirely sure what the best way to integrate it would be though -- e.g. would we want to talk to an external server or use the runtime in-process to evaluate policies for example.
from ghostunnel.
I was thinking in-process, but then this is early for me - I just started looking into this.
You guys have a discord for ghostunnel?
from ghostunnel.
There's no discord, but happy to talk on here if you want to sketch something out.
from ghostunnel.
Cool!
I will likely start looking seriously into this later this month, and will get back here with more crisp ideas / a plan.
Unrelated/related: I sent you a note on linkedin - as we are using ghostunnel for our stuff, we are interested in supporting the project - so, if this would be useful too, let me know over there?
Thanks in all cases and ttyl!
from ghostunnel.
Ok, I have a small POC for the in-process approach that does verify the CN of a client cert.
I have this policy defined in a local rego file:
package mtls.authz
import input.identity
default allow := false
allow {
input.client.Subject.CommonName == "spacedub (104954251)"
}
I am obviously hooking-up on TLSConfig.VerifyPeerCertificate
to map the client certificate to the input
(a la VerifyPeerCertificateServer
in auth.go
).
From a command-line perspective, I am passing along the policy and the query:
--policy opa-policy-tls.pol --query "data.mtls.authz.allow"
The key question IMO: what UX do we want?
Also, I am very new to OPA - just correct me if I am going in the wrong direction.
So, what about this:
ghostunnel --allow-policy policyfile.rego --allow-query "some query"
- that would be mutually exclusive with the other allow flags
- would still hook-up at the same level as the other allow flags (in auth.go)
Thoughts?
from ghostunnel.
Left some comments on the pull request, overall I think this is the right direction and looks pretty good already.
from ghostunnel.
Related Issues (20)
- Support for OPA policies hot-reload and re-authorizing existing connections HOT 5
- CVE-2022-37434 HOT 6
- Help not show how to set cert HOT 1
- keystore password not working HOT 6
- GLIBC too old HOT 7
- Can't build HOT 2
- x/text dependendy should be updated to latest version for CVE-2022-32149 HOT 4
- PKCS11 tokens that don't support RSA-PSS don't work. We should make sure the mechanism is supported or handle the error HOT 3
- Windows binary .exe extension is missing HOT 1
- Add linux arm64 binaries in the official releases ? HOT 2
- Trying to use ghostunnel in client mode only to connect directly to a mysql server. Is this even possible? HOT 1
- Any plans to support DTLS? HOT 2
- Release 1.7.2 is missing binary ghostunnel-linux-amd64 HOT 2
- Getting the error while running in windows. for workload api (spiffe/error: Failed to watch the Workload API : rpc error: code = Unavailable desc = connection error: desc = "transport: Erro r while dialing: open \\.\pipe\backend-agent\public\api: The system cannot find the file specified.") HOT 3
- Workload API is not working in Windows. HOT 1
- spire for cert, no client validation fails HOT 7
- failed to build resolver: invalid (non-empty) authority
- [ documentation ] Comparision section HOT 1
- Why only support http/https, Why not support four layer proxies? HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ghostunnel.