Preventing Untrusted Workloads
wasmCloud hosts will always enforce a certain level of security by default that cannot be loosened. For example, hosts will always validate invocations and runtime links.
A policy service can be used to restrict starting/communicating with untrusted actors and providers on particular hosts.
The policy service is disabled by default. When enabled, the policy service will be called by a host when:
- a particular actor or provider is started for the first time
- an invocation is received between two entities for the first time
The policy service evaluates the provided action and returns a response indicating whether it is permitted. This response is cached by the host, so subsequent requests for the same action will not incur any overhead.
Policy Requests and Responses
Policy requests are made on a NATS subject, which is specified by the --policy-topic
host config option.
Policy request schema
{
"requestId": "... unique ID used for correlation ...",
"source": {
"publicKey": "Mxxx",
"contractId": "...",
"linkName": "default",
"capabilities": ["..."],
"issuer": "Nxxx",
"issuedOn" : "...",
"expiresAt": 0,
"expired": false,
},
"target": {
"publicKey": "Vxxx",
"issuer": "Nxxx",
"contractId": "...",
"linkName": "default",
},
"host": {
"publicKey": "Nxxx",
"latticeId": "default",
"labels": {
"hostcore.os": "mac",
},
"clusterIssuers": ["Cxxx", "Cxxy"]
},
"action": "[start_provider | start_actor | perform_invocation]"
}
Policy response schema
{
"requestId": "...",
"permitted": true,
"message": "..." (optional)
}
Revoking Policy Decisions
Past policy decisions can be revoked/overridden by the policy service by publishing on the --policy-changes-topic
NATS subject.
Hosting a Policy Service
Since the policy service API is over NATS, it can be implemented by anything that can subscribe and publish responses to the configured policy topic (including a wasmCloud actor!).
An example policy service is available as a wasmCloud actor.