At the core of data mesh there are data products: autonomous units that expose data via REST-based programmatic interfaces, while preserving the provider sovereignty and ensuring the consumer trust. However, despite their flexibility, adopting data products raises challenges in defining and enforcing fine-grained, customizable access policies that apply to different domains, such as security and usage. This work investigates the potential of a policy-as-code approach to support policy specification and automated compliance in data product architectures. We propose an extension to the OpenAPI specification that (i) allows security and transformation policies to be represented directly within a data product’s OpenAPI description, (ii) feeds an automated pipeline to generate Open Policy Agent (OPA) Rego rules.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Automating Policy-as-Code Generation Pipeline for Data Products: An OpenAPI-Driven Rego Generator

  • Matteo Brambilla,
  • Matteo Falconi,
  • Valeria Maria Fortina,
  • Pierluigi Plebani,
  • Monica Vitali

摘要

At the core of data mesh there are data products: autonomous units that expose data via REST-based programmatic interfaces, while preserving the provider sovereignty and ensuring the consumer trust. However, despite their flexibility, adopting data products raises challenges in defining and enforcing fine-grained, customizable access policies that apply to different domains, such as security and usage. This work investigates the potential of a policy-as-code approach to support policy specification and automated compliance in data product architectures. We propose an extension to the OpenAPI specification that (i) allows security and transformation policies to be represented directly within a data product’s OpenAPI description, (ii) feeds an automated pipeline to generate Open Policy Agent (OPA) Rego rules.