API Data and Framework Versioning. #1622
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
helsaawy
reviewed
Jan 19, 2023
helsaawy
approved these changes
Jan 25, 2023
hgarvison
reviewed
Jan 26, 2023
anmaxvl
approved these changes
Jan 27, 2023
This change adds several features that are necessary to provide stable backwards
compatibility.
The first deals with how API defaults are specified.
Previously, API default behavior was given in terms of allow/deny, i.e.
``` rego
"create_container": {"introducedVersion": "0.1.0",
"allowedByDefault": false}
```
This does not reflect how the API has evolved, in particular the fact that GCS
expects the API to return objects and not a single boolean value. Thus, the
defaults have been updated to be default object values:
``` rego
"create_container": {"introducedVersion": "0.1.0",
"default_results": {"allowed": false,
"env_list": null,
"allow_stdio_access": true}},
```
The resulting default object is then combined with the value returned by the
(older) policy using an object union operation. For example, if the
default is:
``` json
{
"allowed": false,
"env_list": null,
"allow_stdio_access": true
}
```
and the value returned by an older policy is:
``` json
{
"allowed": true,
}
```
then then the fields of the policy result overwrite the fields of the default
to create the final result:
``` json
{
"allowed": true,
"env_list": null,
"allow_stdio_access": true
}
```
As the API stabilizes, it will increasingly be the case that the Framework will
change independently of the API and will need its own SVN. The second major
change this PR incorporates is to add a Framework SVN to fragments and policies
which use the provided framework. This allows us to provide Framework-specific
backwards compatibility behavior. In particular, this allows us to specify
policy object versioning via the new `framework_objects.json` file. For example,
the format of the external process object is defined as:
``` json
"external_process": {
"command": {
"introduced_version": "0.1.0",
"default_value": null
},
"env_rules": {
"introduced_version": "0.1.0",
"default_value": null
},
"working_dir": {
"introduced_version": "0.1.0",
"default_value": null
},
"allow_stdio_access": {
"introduced_version": "0.1.0",
"default_value": null
}
},
```
As new elements are added to framework policy objects, reasonable defaults can
be provided here. This has repercussions on policies in a few cases:
1. **`framework_svn` is missing.** If the policy or fragment does not define a
Framework SVN, then the framework must thrown an error for any rule which
uses the object defaults, as the behavior is undefined.
2. **`framework_svn` is ahead of the executing Framework SVN**. Similarly, if
a policy or fragment specifies an SVN which is greater than that of the
executing Framework, they are indicating that they expect a different set of
constraints to be executing and thus we must thrown an error when rules
that uses object defaults are executed.
Implementing and testing these changes required some minor alterations and
refactoring to the `regopolicyinterpreter`, in particular a method to make
raw Rego queries to facilitate testing the default application process for
candidate policy objects.
Signed-off-by: Matthew A Johnson <[email protected]>
Signed-off-by: Matthew A Johnson <[email protected]>
Signed-off-by: Matthew A Johnson <[email protected]>
Signed-off-by: Matthew A Johnson <[email protected]>
Signed-off-by: Matthew A Johnson <[email protected]>
Signed-off-by: Matthew A Johnson <[email protected]>
Signed-off-by: Matthew A Johnson <[email protected]>
KenGordon
reviewed
Jan 27, 2023
princepereira
pushed a commit
to princepereira/hcsshim
that referenced
this pull request
Aug 29, 2024
* API Data and Framework Versioning.
This change adds several features that are necessary to provide stable backwards
compatibility.
The first deals with how API defaults are specified.
Previously, API default behavior was given in terms of allow/deny, i.e.
``` rego
"create_container": {"introducedVersion": "0.1.0",
"allowedByDefault": false}
```
This does not reflect how the API has evolved, in particular the fact that GCS
expects the API to return objects and not a single boolean value. Thus, the
defaults have been updated to be default object values:
``` rego
"create_container": {"introducedVersion": "0.1.0",
"default_results": {"allowed": false,
"env_list": null,
"allow_stdio_access": true}},
```
The resulting default object is then combined with the value returned by the
(older) policy using an object union operation. For example, if the
default is:
``` json
{
"allowed": false,
"env_list": null,
"allow_stdio_access": true
}
```
and the value returned by an older policy is:
``` json
{
"allowed": true,
}
```
then then the fields of the policy result overwrite the fields of the default
to create the final result:
``` json
{
"allowed": true,
"env_list": null,
"allow_stdio_access": true
}
```
As the API stabilizes, it will increasingly be the case that the Framework will
change independently of the API and will need its own SVN. The second major
change this PR incorporates is to add a Framework SVN to fragments and policies
which use the provided framework. This allows us to provide Framework-specific
backwards compatibility behavior. In particular, this allows us to specify
policy object versioning via the new `framework_objects.json` file. For example,
the format of the external process object is defined as:
``` json
"external_process": {
"command": {
"introduced_version": "0.1.0",
"default_value": null
},
"env_rules": {
"introduced_version": "0.1.0",
"default_value": null
},
"working_dir": {
"introduced_version": "0.1.0",
"default_value": null
},
"allow_stdio_access": {
"introduced_version": "0.1.0",
"default_value": null
}
},
```
As new elements are added to framework policy objects, reasonable defaults can
be provided here. This has repercussions on policies in a few cases:
1. **`framework_svn` is missing.** If the policy or fragment does not define a
Framework SVN, then the framework must thrown an error for any rule which
uses the object defaults, as the behavior is undefined.
2. **`framework_svn` is ahead of the executing Framework SVN**. Similarly, if
a policy or fragment specifies an SVN which is greater than that of the
executing Framework, they are indicating that they expect a different set of
constraints to be executing and thus we must thrown an error when rules
that uses object defaults are executed.
Implementing and testing these changes required some minor alterations and
refactoring to the `regopolicyinterpreter`, in particular a method to make
raw Rego queries to facilitate testing the default application process for
candidate policy objects.
Signed-off-by: Matthew A Johnson <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change adds several features that are necessary to provide stable backwards compatibility.
The first deals with how API defaults are specified. Previously, API default behavior was given in terms of allow/deny, i.e.
This does not reflect how the API has evolved, in particular the fact that GCS expects the API to return objects and not a single boolean value. Thus, the defaults have been updated to be default object values:
The resulting default object is then combined with the value returned by the (older) policy using an object union operation. For example, if the default is:
{ "allowed": false, "env_list": null, "allow_stdio_access": true }and the value returned by an older policy is:
{ "allowed": true, }then then the fields of the policy result overwrite the fields of the default to create the final result:
{ "allowed": true, "env_list": null, "allow_stdio_access": true }As the API stabilizes, it will increasingly be the case that the Framework will change independently of the API and will need its own SVN. The second major change this PR incorporates is to add a Framework SVN to fragments and policies which use the provided framework. This allows us to provide Framework-specific backwards compatibility behavior. In particular, this allows us to specify policy object versioning via the new
framework_objects.jsonfile. For example, the format of the external process object is defined as:As new elements are added to framework policy objects, reasonable defaults can be provided here. This has repercussions on policies in a few cases:
framework_svnis missing. If the policy or fragment does not define a Framework SVN, then the framework must thrown an error for any rule which uses the object defaults, as the behavior is undefined.framework_svnis ahead of the executing Framework SVN. Similarly, if a policy or fragment specifies an SVN which is greater than that of the executing Framework, they are indicating that they expect a different set of constraints to be executing and thus we must thrown an error when rules that uses object defaults are executed.Implementing and testing these changes required some minor alterations and refactoring to the
regopolicyinterpreter, in particular a method to make raw Rego queries to facilitate testing the default application process for candidate policy objects.