Add support for AllowNet capability in http.send
#3665
Comments
tsandall
added this to TODO (Things That Should Be Done)
in Open Policy Agent
via automation
|
With #3748 we now have an API for OPA admins to supply a list of hostnames/IPs that an OPA should be allowed to connect to. We should use make use of the capabilities within topdown. |
|
It would be good to allow blocking specific protocols as well, like unix:// or http:// (i.e,. not https) .. might be one wants to request something from a local http service without allowing access to local unix domain sockets on the host filesystem. |
|
If we follow the semantics of the JSON Schema remote ref fetching, then as soon as there's any entry in |
tsandall
changed the title
tsandall
moved this from TODO (Things That Should Be Done)
to Planned (Things We Are Going To Do)
in Open Policy Agent
tsandall
changed the title
http.send
johanfylling
added a commit
to johanfylling/opa
that referenced
this issue
Dec 16, 2021
… functions Adding host allow-listing based on the allow_net capability in the http.send()- and net.lookup_ip_addr() built-in functions when running the eval command. Fixes: open-policy-agent#3665 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
OPA should support a mechanism for restricting http.send calls at runtime. The primary use case would be restricting what hosts http.send calls can make. To support this, we should look at what interfaces are required in the topdown package. On top of that, we could expose restriction settings via the OPA configuration.
Note, this is not about disabling the http.send call entirely or blocking it at compile-time. The goal here is to allow policy authors to make use of http.send but only for reaching out to specific hosts.
EDIT:
net.lookup_ip_addrfunction.Related #3661
The text was updated successfully, but these errors were encountered: