Kelon is a policy enforcement point, that is wrapping the Open Policy Agent (OPA) and adding more functionality in terms of microservices.
Let's say you have some services you would like to have authorization implemented into. With this challenge in mind there are basically two options:
- Use code to secure your endpoints
- In case of REST-Services nearly every framework provides something like Guards or so
- Use tools to secure your endpoints
- Just add some small code snippets to your service (like Request-Interceptors) and let a tool handle the decision for you
It's obvious that the second option not only increases the speed at which you'll implement your service (focusing only on the functionality), but also grants much more security because all your policies are stored and enforced in one place (they can also be separately tested).
This is basically the problem that the Open Policy Agent solves. The only problem is that it is very hard to integrate the OPA into a project because it needs the data which is needed to enforce policies to be stored inside it. This leads to work flows where you copy an abstraction of your entire database into OPA which is not only redundant, but also leads to synchronization issues.
Kelon is basically a proxy of OPA's Data-API which is connected to all your data sources and responds to incoming queries with "ALLOW" or "DENY". This request contains all information about i.e. the incoming client request to your service. Internally, Kelon uses the provided input to determine a OPA-Package which it then sends a query to (using OPA's Partial Evaluation). The result of this query is interpreted and (in case of any "unknowns") translated into a data source query which will be used to make the decision.
To show you the capabilities of Kelon in action, we provided a simple example setup of Kelon with three databases [My-SQL, PostgreSQL, Mongo-DB]. In order to run this example you need to install Docker and Docker-Compose and Postman (optional). Afterwards you can run the example like this:
$ git clone [email protected]:unbasical/kelon.git
$ cd kelon
$ docker-compose up -d
After everything is up and running, you can use this Postman-Collection to verify that kelon is working correctly.
Then visit our official docs.