Policy Engine

The policy engine uses Open Policy Agent(OPA). OPA is an open source unified toolset for policy. The policy engine uses rego, a Go like language where engineers can define policy actions through code. The policy engine can be queried via a GET request, and needs a username, resource, action, and score to determine an action. Our policy engine is set up to perform role base access control, as you can see here:

Because the policy engine needed so much information to make a decision, our network agent, traifik, was not set up to support this out of the box. This is why the Swissknife Handler was created. The Swissknife Handler is essentially a middleware handler that communicates with the Trust API Handler before the policy engine. The Swissknife Handler is configured as a middleware for our network agent. The Swissknife Handler works as follows:

1. The Swissknife Handler parses the username and resource from the network agents GET request.

2. The Swissknife Handler then PUTs the username into the Trust API Handler.

3. It then waits for a response from the Trust API Handler for the trust score.

4. Once the trust score has been received, the SwissKnife Handler then queries the policy engine providing the relevant data.

5. The Swissknife Handler then forwards the decision from the policy engine to the network agent.