32 lines
1.4 KiB
Go
32 lines
1.4 KiB
Go
package policy
|
|
|
|
import _ "embed"
|
|
|
|
// ReferenceRego is a read-ACL Rego SKELETON bundled with zddc-server for
|
|
// external-OPA deployments. It models the read cascade ONLY and is NOT a
|
|
// semantic mirror of the InternalDecider: it does not implement per-verb
|
|
// authorization (write/create/delete/admin), WORM zones, roles, fences, or
|
|
// config-edit, so it is FAIL-CLOSED — every non-read action is denied except
|
|
// for an elevated admin (input.user.is_active_admin). The InternalDecider
|
|
// remains the production source of truth. parity_test.go (OPA as a test-only
|
|
// dependency, so the production binary stays OPA-free) checks the modelled
|
|
// read-cascade dimension only — it does NOT prove full parity.
|
|
//
|
|
// Operators running an external OPA can use this as a STARTING POINT — they
|
|
// must add the unmodelled write/WORM/role/admin semantics before relying on
|
|
// it for write authorization:
|
|
//
|
|
// zddc-server --print-rego > /etc/opa/policies/zddc-access.rego
|
|
//
|
|
// Customizations typical for federal deployments:
|
|
//
|
|
// - Flip the leaf-allow-overrides-parent-deny semantics so parent denies
|
|
// are absolute (NIST AC-6 least-privilege posture).
|
|
// - Add role-based access via additional input fields (input.user.roles
|
|
// populated by the upstream proxy from SAML/OIDC claims).
|
|
// - Add time-of-day or IP-range constraints.
|
|
// - Emit decision logs in a SIEM-friendly format via OPA's logging
|
|
// plugins.
|
|
//
|
|
//go:embed rego/access.rego
|
|
var ReferenceRego string
|