kelon

module

v0.0.0-...-75b1e24 Latest Latest Go to latest Published: Dec 17, 2021 License: Apache-2.0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

README ¶

Kelon

Kelon is a policy enforcement point, that is wrapping the Open Policy Agent (OPA) and adding more functionality in terms of microservices.

Status

Problems you face when applying authorizing to your services

Let's say you have some services you would like to have authorization implemented into. With this challenge in mind there are basically two options:

Use code to secure your endpoints
- In case of REST-Services nearly every framework provides something like Guards or so
Use tools to secure your endpoints
- Just add some small code snippets to your service (like Request-Interceptors) and let a tool handle the decision for you

It's obvious that the second option not only increases the speed at which you'll implement your service (focusing only on the functionality), but also grants much more security because all your policies are stored and enforced in one place (they can also be separately tested).

This is basically the problem that the Open Policy Agent solves. The only problem is that it is very hard to integrate the OPA into a project because it needs the data which is needed to enforce policies to be stored inside it. This leads to work flows where you copy an abstraction of your entire database into OPA which is not only redundant, but also leads to synchronization issues.

How Kelon solves authorization

Kelon is basically a proxy of OPA's Data-API which is connected to all your data sources and responds to incoming queries with "ALLOW" or "DENY". This request contains all information about i.e. the incoming client request to your service. Internally, Kelon uses the provided input to determine a OPA-Package which it then sends a query to (using OPA's Partial Evaluation). The result of this query is interpreted and (in case of any "unknowns") translated into a data source query which will be used to make the decision.

Getting Started

To show you the capabilities of Kelon in action, we provided a simple example setup of Kelon with three databases [My-SQL, PostgreSQL, Mongo-DB]. In order to run this example you need to install Docker and Docker-Compose and Postman (optional). Afterwards you can run the example like this:

$ git clone git@github.com:Foundato/kelon.git
$ cd kelon
$ docker-compose up -d

After everything is up and running, you can use this Postman-Collection to verify that kelon is working correctly.

Want to know more about Kelon?

Then visit our official docs.

License

Directories ¶

Path	Synopsis
cmd
kelon
common Package common provides constants that are used within the entire application	Package common provides constants that are used within the entire application
configs Central package for app-global config.	Central package for app-global config.
internal
pkg/api
pkg/api/envoy
pkg/data
pkg/opa
pkg/request
pkg/translate
pkg/util Package util contains helper functions and data structures.	Package util contains helper functions and data structures.
pkg/watcher
pkg
api Package api contains components that handle incoming requests and delegate them to the opa.PolicyCompiler.	Package api contains components that handle incoming requests and delegate them to the opa.PolicyCompiler.
constants
constants/logging
data Package data contains components that are used to translate an AST coming from translate.AstTranslator into a datastore's native query which can then be executed inside the datastore.	Package data contains components that are used to translate an AST coming from translate.AstTranslator into a datastore's native query which can then be executed inside the datastore.
errors
opa Package opa contains components that generate decisions on incoming requests.	Package opa contains components that generate decisions on incoming requests.
request Package request contains components that help to transform an incoming request into OPA-compatible units like a package and a query.	Package request contains components that help to transform an incoming request into OPA-compatible units like a package and a query.
telemetry
translate Package translate contains components that help to process a partially evaluated AST returned by OPA.	Package translate contains components that help to process a partially evaluated AST returned by OPA.
watcher Package watcher contains components that are used for configuration reloading of kelon.	Package watcher contains components that are used for configuration reloading of kelon.
test
integration

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL