Configuration of IP and MAC

[shashankbr11]

Hi,

I have been using OPA Rego policies to configure user role based access and OPA is giving suitable decisions.

However I am interested in configuring an IP based access and tried with the following rego policy for allow decision

package abc
default allow = false
allow {
    input.method = "GET"
    input.addrs = [":8181"]
}

to allow the localhost running server.

input.json query

{
"method": "GET",
"addrs": [":8181"]
}

The policy evaluated for the input is not resulting for allow = true or false

Please suggest the feature for testing IPs and MAC address in this context to manage decisions for the incoming IP, MAC address.

With regards,
Shashank

[srenatus]

OPA does not see anything from the transport layer. So, the requesting client address etc isn't available -- but it also shouldn't be: The client asking OPA for a policy decision is typically some API gateway software.

Your policy and input looks good, but it also depends on how you're evaluating this. Are you using the playground, opa eval, or the REST API?

[shashankbr11]

Thanks for the reply @srenatus.

I am running the OPA server (./opa run --server)

I am using PUT to place the Policy at localhost:8181/v1/policies and sending JSON file using GET to v1/policies location through Insomnia to debug.

I wish to allow the IP address/ MAC of the localhost while denying other machine's IP and MAC that request the OPA server.

Could it be possible to implement in the above manner? Please suggest relevant method for the above situation.

With regards,
Shashank B.R

[anderseknert]

You can't do this at policy-level, but if you want to only allow connections from localhost, you can bind the OPA server to that interface:

opa run --server --addr=localhost:8181

You can use a diagnostics address if you need to have some endpoints for checking health/status made public.

[shashankbr11]

Thanks @anderseknert for the reply. Your videos are helpful in configuring policies.

I was able to allow HTTP access from browser on the local machine while access denied from browsers on other machines.

Is it possible in the same way using only the MAC addresses as well?

[anderseknert]

Thanks! I appreciate you saying that 😃

No, there's no support for that in OPA. You'd need to do so in another layer if you really want that.

[shashankbr11]

Can we define Rego policies with MAC addresses so that an input JSON file with MAC address field can be evaluated with MAC address in the policy?

[anderseknert]

Sure!

[shashankbr11]

Is it as a built-in function in Rego? Can we define it as user attributes?

[anderseknert]

There are no built-in functions for mac addresses in Rego. I'm not sure what those would look like? I was thinking you would want to do something like this:

package policy

import future.keywords.if
import future.keywords.in

allowed_macs := {"e6:23:35:b8:8b:c3", "e6:23:35:b8:8b:c4", "e6:23:35:b8:8b:c5"}

allow if input.mac in allowed_macs

[shashankbr11]

Yes.. Somewhat like this.. I would also wish to update the list of allowed MACs dynamically if there is an addition or deletion of allowed MACs in a file.

[anderseknert]

Sure! There are many ways to provide OPA with data. See https://www.openpolicyagent.org/docs/latest/external-data/

[shashankbr11]

The link is useful to analyze the right format which we intend to implement.

Also for the IP resolution should we use the built-in function shown below

hosts := net.cidr_expand(cidr)

or possibly declare it as ip := 192.168.1.1