You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As a user of OpenPolicyAgent (OPA) I want to be sure that only authenticated & authorized clients can get data (which might include PII data from UserInfoFetcher and other sources).
OPA supports Bearer tokens and Client TLS certificates. The latter fits better into our platform so it's the preferred way but the bearer token can be used as well if there are any hurdles towards implementing client certificates.
Value
We want the SDP platform to be as secure as possible by default and design and in addition this will be a requirement of the Cyber Resilience Act we'll have to fulfill.
Therefore, we need to authenticate and authorize any client requests coming to OPA.
Dependencies
This requires the Secret Operator (I assume) to provide the necessary client certificates for all clients (i.e. authorizers) to be able to authenticate against OPA.
Tasks
The content you are editing has changed. Please copy your edits and refresh the page.
OPA does not accept unauthenticated requests anymore
All authorizers authenticate themselves when speaking to OPA
(Information Security) Risk Assessment
This will strictly make our product more secure and helps us with regulations such as the Cyber Resilience Act.
Additional risks are the need to create TLS certificates and protect them but that is already part of the platform.
Release Notes
All authorizers speaking to OpenPolicyAgent (OPA) now use Client TLS certificates to authenticate themselves against OPA.
Remarks
Be aware of this section in the docs:
Note that TLS authentication does not disable non-HTTPS listeners. To ensure that all your communication is secured, it should be paired with an authorization policy (see below) that at least requires the client identity (input.identity) to be set.
In general please read the docs on this feature before starting any implementation.
The text was updated successfully, but these errors were encountered:
Description
As a user of OpenPolicyAgent (OPA) I want to be sure that only authenticated & authorized clients can get data (which might include PII data from UserInfoFetcher and other sources).
OPA supports Bearer tokens and Client TLS certificates. The latter fits better into our platform so it's the preferred way but the bearer token can be used as well if there are any hurdles towards implementing client certificates.
Value
We want the SDP platform to be as secure as possible by default and design and in addition this will be a requirement of the Cyber Resilience Act we'll have to fulfill.
Therefore, we need to authenticate and authorize any client requests coming to OPA.
Dependencies
This requires the Secret Operator (I assume) to provide the necessary client certificates for all clients (i.e. authorizers) to be able to authenticate against OPA.
Tasks
Tasks
Acceptance Criteria
(Information Security) Risk Assessment
This will strictly make our product more secure and helps us with regulations such as the Cyber Resilience Act.
Additional risks are the need to create TLS certificates and protect them but that is already part of the platform.
Release Notes
All authorizers speaking to OpenPolicyAgent (OPA) now use Client TLS certificates to authenticate themselves against OPA.
Remarks
Be aware of this section in the docs:
In general please read the docs on this feature before starting any implementation.
The text was updated successfully, but these errors were encountered: