inspektor-dev / inspektor Goto Github PK

View Code? Open in Web Editor NEW

278.0 5.0 12.0 22.68 MB

Inspektor is a protocol-aware proxy that is used to enforce access policies👮

Home Page: https://inspektor.cloud

License: Apache License 2.0

Rust 48.87% Go 32.93% Shell 1.53% Open Policy Agent 0.38% JavaScript 2.36% HTML 0.16% Vue 13.68% Dockerfile 0.10%

security openpolicyagent acl rust go vuejs access-control authorization iam permissions rbac

inspektor's Introduction

Inspektor

Inspektor is a protocol-aware proxy that is used to enforce access policies👮

What is Inspektor?

Inspektor is a protocol-aware proxy that is used to enforce access policies. It helps organizations in securing their data assets and obtaining data compliance.

Inspektor is designed to work with all databases such as Postgres, MySQL, and MongoDB.

The access policies are defined using OPA (open policy agent). Since policies are written in OPA, you can write policies such as granting access to the support engineer only if a support ticket is assigned.Go to the official documentation to learn more about OPA.

Slack Integration Demo

Use Cases

standardise your ad hoc data access
Create access credentials in no time for your dev team to debug
Manage all your data policies in a centralized place and avoid managing data policies in silos
Protect PPI data of your customers while collaborating
Avoid dangerous commands like DELETE,UPDATE accidentally.

The OPA(Open-Policy-Agent).

OPA is used for a unified toolset and framework for policy across the cloud-native stack. Use OPA to release, analyze, and review policies without sacrificing availability or performance.

Here is the example policy, written using rego. This example policy allows users with ‘support’ roles to modify the shipped column of the claimed_items table and hides the email column of the customer table from the users with the ‘support’ role.

package inspektor.resource.acl

default allow = false

default protected_attributes = []

default allowed_attributes = []

role_permission := {
"support": [{"postgres-prod": {

# insert is not allowed for the support roles.
"insert": {"allowed": false, "allowed_attributes": {}},
 
 # shipped column of claimed_items only allowed to update
"update": {"allowed": true, "allowed_attributes": {"prod.public.claimed_items.shipped"}},

 # copy is not allowed
"copy": {"allowed": false, "allowed_attributes": {}, "protected_attributes":{}},
 
# support role can view every columns of the database except email column of customers table.
"view": {"allowed": true, "protected_attributes": {"prod.public.customers.email"}}, }}],
}

# retrive all the resources that can be accessible by the 
# incoming groups. eg: support, admin, dev
resources[resource] {
resource = role_permission[input.groups[_]][_]
}

# retrive all the permissions for the given datasource and
# action. eg: view, update 
permission = resources[_][input.datasource][input.action]

#  this permission is allowed.
allow {
permission. allowed
}

# what are the attributes that are allowed to 
# modify
allowed_attributes = intersection(attributes) {
attributes := {attribute | attribute := permission.allowed_attributes}
}

# attributes that needs to be hidden 
# to the user.
protected_attributes = intersection(attributes) {
attributes := {attributes | attributes := permission.protected_attributes}
}

Architecture

Inspektor comprises 2 main components.

The Control Plane
The Data Plane

The Control Plane:

The control plane acts as a management service that dynamically configures your data plane in order to enforce policies.

It is like a control center where an admin can configure and access all the roles of a particular employee or a user.

The Data Plane:

The data plane is deployed along with your data service. Dataplane enforces the access policies on all the queries that are coming to your database by intercepting the network traffic.

Supported Data Source

Postgres

Planned Data Sources

Snowflake
MongoDB
MYSQL
S3

Join Us!

Inspektor is an open-source project. If you have some more amazing ideas to improve Inspektor or if you find some bugs or critical errors in the current code, then please let us know by joining the Inspektor Discord. You can also visit the Github Discussion.

inspektor's People

Contributors

Stargazers

Watchers

Forkers

vilaksh01 isgasho phaer praveen-0208 andoriyu mstange zriyansh shinroo cloudnepal suryatmodulus iq-scm versus

inspektor's Issues

add functionality to add roles to datasource in the dashboard

User are not able update the roles of the datasource once after created.

Add testing framework to do e2e testing

Inspektor doesn't have any tests which test the whole integration. So, add systest to do the end to end testing.

no context error message.

Error message given by the postgres is not parsed correctly and forwarded to the client.

Instead of forwarding the correct error message, the inspektor just sends ERROR without any context.

add kafka integration

Kafka is one of the popular message bus systems.

Add integration to enforce polices on kafka

provide a way to measure dataplane metrics.

explore ways how we can start measuring, time taken to evaluate a policy,
time it takes to rewrite a query..

Rust metrics crate seems interesting https://github.com/metrics-rs/metrics

restrict users to switch db after having authorised connection

User able to switch to unauthorised db after gaining the access of authorised db.

Expected behaviour: inspektor should detect those scenario and restrict the user not to switch db.

Add support for json in postgres query

Describe the bug
Inspektor doesn't support json query support.

To Reproduce
Parse the following query

select * from tmpdb where cast(meta1->'refferedBy' as text) = '3332'

you'll get the following error

ParserError("Expected an expression:, found: >")

Expected behavior
Inspektor should be able to parse json query

table names are prefixed while using wild card select

Table names are prefixed if any column is considered as protected column.

eg:

select * from actors -> select actor.ssn as NULL, actor.first_name from actors

This may retrieve the results. But it's breaking orm clients.

Expected Behaviour:

Table name should not be prefixed if not required.

add support of various storage backend.

control plane stores all of it's metadata in postgres backend.
Add other store backends like etcd as an optional storage backend.

add functionality to mutate roles of the user

The admin can add roles while creating the user.

We need a way in a UI where we can change the role of the user.

datasource name has to be unique

datasouce name has to be unique so that it won't collide with any polices.

Also, define the spec for datasource name

add ssl support

ssl will allow the end user to query and retrieve data in an encrypted way. So, add support for ssl in dataplane

Add teams bot integration

Microsoft teams are widely used by big enterprises and companies. So, it'll be a good addition for the users who are using teams to do temp credentials approval on teams itself

Add a optional pass through mechanism if query failed.

Is your feature request related to a problem? Please describe.
if we not able to parse any of the query instead of failing, dataplane should be able to pass through the query

Describe the solution you'd like
This could solve the unsupported postgres operators. we can add the support by taking the control plane reports.

add support for postgres COPY query

COPY query is not supported in the sqlparser.

add support for the copy command

add way to get short lived credentials

all the credentials that Inspektor creates are long lived.

There should be a way where admins can create short lived credentials for data sources.

This can help teams to give temporary credentials to the user

make openID connect as a default authentication mechanism

Inspektor uses it's in-house authentication mechanism to access inspektor dashboard.

Add support for openID connect, so user can use their own identity provider to access inspektor

add support for MYSQL

MYSQL is a popular database in SQL world.

add support to enforce access policies on MYSQL server.

add automation to do systest on github action

Systest was recently added to inspektor to do testing. But, systest doesn't run as part of github action workflow.

so add systest to github action so that we can continuously monitor the stability;

update policy throwing unauthorised update error

we have a policy with allowed attributes without column name. the expected behaviour for that policy is that, all the columns should be updateable.

But it's throwing unauthorized update error

copy button not working on insecure mode

clipboard api doesn't work without https or localhost

so provide a way to show secret token in insecure mode.

audit log all the user queries

Right now, we don't know for what users are querying for. So, it'll be a good value addition if the admin can see what users are querying.

IDEA: dataplane should send all the logs to controlplane. Control plane pushes the logs to respective data sinks.

But, this put a lot of pressure on the control plane. We can make the dataplane to push the logs, but it'll be hard to configure.

add slack integration

slack integration will ease to process of requesting temp credentials from admin.

for eg:

member can ask inspektor bot for credentials; the credentials will be provided on the approval of admin.

drop connection if the credentials are expired or if any termination

We recently added support for creating temp credentials for users #23

But, the above PR alone doesn't solve the issue. We need a mechanism to drop connection if there is a side effect on session.

For example, a role removed by the admin or a session expired.

use multi stage docker build.

Now, all docker builds use the --no-cache flag to make sure a new binary is being sent to the docker image.

But, it's increasing the build time a lot.

On a local machine, it takes more than 5 mins to build the image. So, explore other opportunities, to decrease build time

reference: https://github.com/poonai/inspektor/blob/main/build_dataplane_docker.sh

publish daily report on slacks.

On a day-to day basis, orgs use multiple internal tools.

eg: metabase to visualise organisation data and retool to build internal apps

Team don't have any clear view on what these tools are doing and also whether these tools are being misused or not.

So come up with an idea, where inspektor can push some daily reports on slack. So, admins have some view on day-to-day data access. It'll be also used to capture if there's any anomaly on data access.

show error message in dashboard if the policy fails to compile

we ended up in a situation, where developer entered wrong policies, then control plane couldn't be able to compile.

So, it'll be good if the dashboard shows whether a policy is in a healthy state or a bad state.

Try connecting to controlplane if the controlplane goes offline

Describe the bug
dataplane panics if the controlplane goes offline

To Reproduce
Bring down the controlplane

Expected behavior

dataplane should keep retry connecting controlplane

add transaction support in postgres driver

Current postgres driver, only checks incoming query is valid or not. But, it doesn't know how to act in a transaction block.

for e.g.: end user can query user but can't insert as policy.

SELECT * FROM USERS;
BEGIN;
INSERT INTO USERS(first_name, last_name) VALUES ('pooni', 'kuttypoonai');
COMMIT;

The expected behaviour is that postgres should return data for select statements and send error for insert transaction. But, Inspektor
Postgres driver return error response directly.

add redshift suport

Redshift is a aws data warehouse service.

One of the community member asked for this support 🥳