guardian icon indicating copy to clipboard operation
guardian copied to clipboard
verified publisher icon raystack

Appeal approval outside Guardian

Open singhvikash11 opened this issue 3 years ago • 11 comments

Summary Complex appeal approval flow can't be modelled using policy config YAML file so in that case, Guardian should be able to integrate with existing complex approval flow like bpmn.

Proposed solution Guardian can integrate with exiting approval flow either by webhook or subscribe to events.

singhvikash11 avatar Jul 12 '22 07:07 singhvikash11

my rough thought for now is, we can introduce type field in the approval step configuration. If the approach for this is to fetch to external service, we can set the type as fetch and provide the host, creds, payload etc. While the existing human/auto approval step would be the normal type

rahmatrhd avatar Jul 13 '22 19:07 rahmatrhd

Hmm. This is interesting. I can think of a couple of types.

  • manual: By Humans. (I think this is what you refer as normal)
  • http: Guardian will call an http API to check. (Referred as fetch)
  • auto: Approve automatically if a certain condition is met.

Thoughts?

ravisuhag avatar Jul 13 '22 19:07 ravisuhag

pardon me, I just realized that we already have strategy field with possible values auto and manual, we can simply introduce http for this 😁

rahmatrhd avatar Jul 13 '22 20:07 rahmatrhd

@singhvikash11 we need to define a contract for the http api, can you help with that?

rahmatrhd avatar Jul 13 '22 20:07 rahmatrhd

my proposal for this:

# policy
id: my-policy
steps:
- name: owner-approval
  strategy: manual
  approvers:
  - $appeal.resource.details.owner
- name: external-approval
  strategy: auto
  http:
    url: http://example.com/approval/$appeal.account_id
    headers:
      X-Foo-Bar: baz
    authorization:
      type: basic
      username: user
      password: pass
  approve_if: '$response.body.foo == "bar"'
  1. can just use existing auto strategy with the same resolution using existing approve_if.
  2. approve_if will get evaluated only if response status is 200 OK
  3. add $response param to approve_if evaluation if http config is present and response status is 200 OK
  4. one field addition which is http containing target API info (GET only)
  5. no API contract required with guardian

rahmatrhd avatar Jul 21 '22 02:07 rahmatrhd

@rahmatrhd any reason to use auto and not http?

ravisuhag avatar Jul 21 '22 03:07 ravisuhag

@ravisuhag because http fetch approval is essentially an automatic approval that doesn't require human approval

rahmatrhd avatar Jul 21 '22 07:07 rahmatrhd

@rahmatrhd One concern I have is that lot of params will become conditional. If the strategy is this then set this and this and so on. So it might get tricky for policy users to figure out for which strategy which params I should use. Same on the implementation side and combinations start to increase. So, would it make sense to actually segregate it as per strategy? thoughts?

ravisuhag avatar Jul 21 '22 08:07 ravisuhag

I think in addition to the above and detailed documentation, we should have also a command/api similar to guardian policy validate or guardian policy lint so that one can run it and check if the policy file that they have created is valid. and if valid, detailed error output to describe what is incorrect.

bsushmith avatar Jul 30 '22 16:07 bsushmith

@bsushmith can you create an issue for this please?

ravisuhag avatar Aug 01 '22 13:08 ravisuhag

Created issue https://github.com/odpf/guardian/issues/237

bsushmith avatar Aug 01 '22 19:08 bsushmith