How to disallow everything except explicitely defined authorizaion blocks

[eshepelyuk]

Hello

What I want is to declare few authorization sections that would allow access based on certain conditions and drop all the other requests
Currently I am doing smth like this in my AuthConfig

authorization:
  allow-one:
    priority: 0
    when:
      - predicate: ...
    patternMatching:
      patterns:
        - predicate: ...
  allow-two:
    priority: 0
    when:
      - predicate: ...
    patternMatching:
      patterns:
        - predicate: ...
  disallow:
    priority: 1
    patternMatching:
      patterns:
        - predicate: "false"

Is there a shorter way to achieve my goal ? Is my approach correct ?

[guicassolato]

Hi @eshepelyuk.

In general your approach seems fine to me.

However, if you're OK with writing Rego (instead of CEL), maybe one thing you could do is to embed the conditions into the rules. A shorter version could then be:

authorization:
  all-in-one:
    opa:
      rego: |
        allow { <allow-one-conditions>; <allow-one-rules> }
        allow { <allow-two-conditions>; <allow-two-rules> }

Without changing much from what you have already, then maybe a (not so much) shorter version is:

authorization:
  allow-one:
    priority: 0
    when:
      - predicate: ...
    patternMatching:
      patterns:
        - predicate: ...
  allow-two:
    priority: 0
    when:
      - predicate: ...
    patternMatching:
      patterns:
        - predicate: ...
  disallow:
    priority: 1
    opa:
      rego: allow = false

[eshepelyuk]

1. is OPA recommended approach for use cases like mine ?
2. is OPA more performant comparable to CEL ?
3. Is there any discussion to simplify such cases without OPA ?

[guicassolato]

1. For this particular use case, I can't say OPA is the recommended approach per se. It's an option. In fact, the approach I suggested using OPA could just as well be implemented using CEL－if your use case allows merging the 2 authorization rules (allow-one and allow-two) into a single one, which may or may not be the case. I guess the general idea is (<allow-one-conditions> && <allow-one-rules>) || (<allow-two-conditions> && <allow-two-rules>), and not to use the when conditions at all. (Again, just another option.)
2. We don't have benchmarks against CEL yet. Compared to former Authorino pattern matching language (composed of selector, operator, value sets), Authorino's pattern matching beats OPA, so I have reasons to believe CEL can be more performant than OPA as well. However, that is heavily shaped by use case.
3. There is no ongoing discussion in that sense. For the general case, OPA is more powerful for expressing policies than the other authorization methods Authorino supports, in terms of what one can do with it.

[eshepelyuk]

And about this sample

authorization:
  allow-one:
    priority: 0
    when:
      - predicate: ...
    patternMatching:
      patterns:
        - predicate: ...
  allow-two:
    priority: 0
    when:
      - predicate: ...
    patternMatching:
      patterns:
        - predicate: ...
  disallow:
    priority: 1
    opa:
      rego: allow = false

I don't think it's gonna work, as well as my original code.
Unless one adds when condition to disallow block to negate both when from allow-one and allow-two

Due to https://github.com/Kuadrant/authorino/blob/main/docs/architecture.md

[guicassolato]

I haven't tested these exact examples, but you could check the outputs of allow-one and allow-two. E.g.:

Using CEL:

disallow:
  priority: 1
  patternMatching:
    patterns:
    - predicate: (has(auth.authorization["allow-one"]) && auth.authorization["allow-one"]) || (has(auth.authorization["allow-two"]) && auth.authorization["allow-two"])

Using OPA:

disallow:
  priority: 1
  opa:
    rego: |
      allow { object.get(input.auth.authorization, "allow-one", false) }
      allow { object.get(input.auth.authorization, "allow-two", false) }