Skip to content

feat(authz): add obligation policy decision point #2706

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 21 commits into from
Sep 16, 2025
Merged

feat(authz): add obligation policy decision point #2706

merged 21 commits into from
Sep 16, 2025

Conversation

jakedoublev
Copy link
Contributor

@jakedoublev jakedoublev commented Sep 9, 2025
edited
Loading

  1. new obligations pdp
  2. GetRequiredObligations support
  3. consideration for client-scoped triggers and unscoped triggers (just actions/attributes)
  4. tests for all the above

Future:

  1. wire up to auth service with a decision request that also takes in PEP-reported fulfillable obligations
  2. validating fulfillment of obligations against required obligations
  3. tests for fulfillment validation logic

@github-actions github-actions bot added the size/m label Sep 9, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 181.632031ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.005571ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 345.308501ms
Throughput 289.60 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 37.234283138s
Average Latency 370.372774ms
Throughput 134.28 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.826814049s
Average Latency 257.171401ms
Throughput 193.60 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 185.40123ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 94.767759ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 353.493642ms
Throughput 282.89 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 37.781353797s
Average Latency 375.427876ms
Throughput 132.34 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.234621612s
Average Latency 261.2879ms
Throughput 190.59 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Sep 9, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 169.705628ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.375737ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 352.736316ms
Throughput 283.50 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.605553881s
Average Latency 364.636533ms
Throughput 136.59 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.422236169s
Average Latency 253.076358ms
Throughput 196.68 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 169.959232ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 105.053468ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 354.911012ms
Throughput 281.76 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.906022817s
Average Latency 367.001214ms
Throughput 135.48 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.288474027s
Average Latency 271.81943ms
Throughput 183.23 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 188.878472ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.210019ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 364.380316ms
Throughput 274.44 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.327454566s
Average Latency 381.502257ms
Throughput 130.45 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.349647474s
Average Latency 262.589794ms
Throughput 189.76 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 177.514473ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 86.995603ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 358.764547ms
Throughput 278.73 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.504100973s
Average Latency 362.862502ms
Throughput 136.97 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.354970173s
Average Latency 252.867963ms
Throughput 197.20 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 182.262856ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 95.021997ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 343.14403ms
Throughput 291.42 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.208942956s
Average Latency 360.242723ms
Throughput 138.09 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.281195289s
Average Latency 251.956037ms
Throughput 197.78 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 179.919846ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.125915ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 350.872139ms
Throughput 285.00 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 37.626301633s
Average Latency 374.222093ms
Throughput 132.89 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.88471224s
Average Latency 257.712708ms
Throughput 193.16 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 194.151524ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 97.237912ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 351.168547ms
Throughput 284.76 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 37.527106899s
Average Latency 373.729058ms
Throughput 133.24 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.658674654s
Average Latency 255.576125ms
Throughput 194.87 requests/second

@jakedoublev jakedoublev marked this pull request as ready for review September 16, 2025 20:54
@jakedoublev jakedoublev requested a review from a team as a code owner September 16, 2025 20:54
@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 169.901262ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 98.095896ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 344.030081ms
Throughput 290.67 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.310828351s
Average Latency 361.52483ms
Throughput 137.70 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.530308768s
Average Latency 254.124204ms
Throughput 195.85 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 171.932549ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 93.880482ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 348.736617ms
Throughput 286.75 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 37.849695778s
Average Latency 376.961631ms
Throughput 132.10 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.940645449s
Average Latency 257.887393ms
Throughput 192.75 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 174.74045ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.244857ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 347.338248ms
Throughput 287.90 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 37.338083928s
Average Latency 371.632313ms
Throughput 133.91 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.009877462s
Average Latency 259.08924ms
Throughput 192.23 requests/second

alkalescent
alkalescent approved these changes Sep 16, 2025
View reviewed changes
Copy link
Contributor

@alkalescent alkalescent left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@jakedoublev jakedoublev added this pull request to the merge queue Sep 16, 2025
Merged via the queue into main with commit bb2a4f8 Sep 16, 2025
32 checks passed
@jakedoublev jakedoublev deleted the feat/DSPX-1354 branch September 16, 2025 21:50
@opentdf-automation opentdf-automation bot mentioned this pull request Sep 16, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Sep 17, 2025
@opentdf-automation
chore(main): release service 0.10.0 (#2672)
da1366a 
🤖 I have created a release *beep* *boop*
---


##
[0.10.0](service/v0.9.0...service/v0.10.0)
(2025-09-17)


### ⚠ BREAKING CHANGES

* **policy:** Add manager column to provider configuration for
multi-instance support
([#2601](#2601))

### Features

* **authz:** add obligation policy decision point
([#2706](#2706))
([bb2a4f8](bb2a4f8))
* **core:** add service negation for op mode
([#2680](#2680))
([029db8c](029db8c))
* **core:** Bump default write timeout.
([#2671](#2671))
([6a233c1](6a233c1))
* **core:** Encapsulate>Encrypt
([#2676](#2676))
([3c5a614](3c5a614))
* **core:** Lets key manager factory take context
([#2715](#2715))
([8d70993](8d70993))
* **policy:** add FQN of obligation definitions/values to protos
([#2703](#2703))
([45ded0e](45ded0e))
* **policy:** Add manager column to provider configuration for
multi-instance support
([#2601](#2601))
([a5fc994](a5fc994))
* **policy:** Add obligation triggers
([#2675](#2675))
([22d0837](22d0837))
* **policy:** add protovalidate for obligation defs + vals
([#2699](#2699))
([af5c049](af5c049))
* **policy:** Allow creation and update of triggers on Obligation Values
([#2691](#2691))
([b1e7ba1](b1e7ba1))
* **policy:** Allow for additional context to be added to obligation
triggers ([#2705](#2705))
([7025599](7025599))
* **policy:** Include Triggers in GET/LISTable reqs
([#2704](#2704))
([b4381d1](b4381d1))
* **policy:** obligations + values CRUD
([#2545](#2545))
([c194e35](c194e35))
* use public AES protected key from lib/ocrypto
([#2600](#2600))
([75d7590](75d7590))


### Bug Fixes

* **core:** remove extraneous comment
([#2741](#2741))
([ada8da6](ada8da6))
* **core:** return services in the order they were registered
([#2733](#2733))
([1d661db](1d661db))
* **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.3.0 to
0.6.0 in /service
([#2714](#2714))
([00354b3](00354b3))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.7.0 to
0.9.0 in /service
([#2726](#2726))
([9004368](9004368))
* **deps:** bump protocol/go to 0.10.0 in service
([#2734](#2734))
([11e6201](11e6201))
* **deps:** update protovalidate to v0.14.2 to use new buf validate
MessageOneofRule
([#2698](#2698))
([1cae18e](1cae18e))
* **policy:** Registered Resources should consider actions correctly
within Decision Requests
([#2681](#2681))
([cf264a2](cf264a2))
* sanitize db schema identifiers
([#2682](#2682))
([0d3dd94](0d3dd94))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@alkalescent alkalescent alkalescent approved these changes

Assignees
No one assigned
Labels
size/m
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jakedoublev @alkalescent