Act
Act, a core component of GatewayD, is a policy engine that supports signals, policies and actions. It is used to automate the execution of business rules. The business rules are currently written as expressions in the Expr language, with support for external policy engines to come. The expressions are evaluated against the signals received from the plugins and the corresponding actions are executed if the policy expressions evaluate to true (boolean) or any other type recognized by the action.
Previously, there were only a single signal, policy and action, called the terminatePolicy
, which were hard-coded into the GatewayD codebase. This made it difficult to extend and customize the behavior of GatewayD. With the new Act, based on this proposal, the signals, policies and actions are pluggable and can be extended to support custom requirements. This opens up a wide range of possibilities for customizing the behavior of GatewayD to suit the needs of different use cases. For example, a policy can be written to check if the request is coming from a specific IP address, and if so, the action can be to terminate the request.
For more information about configuring policies, see the plugins’ general configuration.
The Act component is currently under active development and the core functionality is available in the GatewayD and the SDK codebases. The information provided here is based on the proposal and the current state of the development. The documentation will be updated as the development progresses.
Signals
A signal is a message that is sent to the policy engine to trigger the evaluation of the policies. The signals are generated by the plugins and are sent to the policy engine for evaluation. The signals can be of different types, such as terminate
, log
, etc., and can contain different types of data, such as the log message and log level, and whether the signal is enabled or not. A signal consists of two fields:
name
: The name of the signal, such asterminate
,log
, etc.metadata
: The metadata associated with the signal, such as the log message and log level. This can be used to pass additional information to the policy engine for evaluation.
For example, the terminate
signal can be sent with the following metadata:
name: terminate
metadata:
terminate: true
Policies
A policy is a set of rules that are evaluated against the signals to determine whether the actions should be executed. The policies are written as expressions in the Expr language, with support for external policy engines to come. The expressions are evaluated against the signals received from the plugins and the corresponding actions are executed if the policy expressions evaluate to a type recognized by the action. Policies have the following fields:
name
: The name of the policy, such asterminate
,log
, etc.policy
: The policy expression written in the Expr language.metadata
: The metadata associated with the policy, such as the log message and log level. This can be used to pass additional information to the policy engine for evaluation.
For example, the policy that matches the terminate
signal can be written as:
name: terminate
policy: "Signal.terminate == true && Policy.terminate == 'stop'"
metadata:
terminate: "stop" # Change this to "continue" to continue the execution
Certain fields are made available to the policy expressions for evaluation. These fields are:
Name
: The name of the signal.Signal
: The metadata of the signal that is sent to the policy engine for evaluation.Policy
: The policy that is evaluated against the signal. This includes the policy name and metadata.Hook
: The plugin hook that is run to generate the signal. This includes the hook name, priority, input parameters and output result.
The Hook
field is a map that contains the following fields:
Field | Description | Type | Example |
---|---|---|---|
Hook.Name | The name of the hook. | string | HOOK_NAME_ON_TRAFFIC_FROM_CLIENT |
Hook.Priority | The priority of the hook. | string | 1000 |
Hook.Params | The input parameters. | map | {"server": {"remote": "127.0.0.1:5432", "local": "127.0.0.1:53684"}, "client": {"remote": "127.0.0.1:15432", "local": "127.0.0.1:37502"}, ...} |
Hook.Name
(string)Hook.Priority
(string)Hook.Params
(map)Hook.Params.server.remote
(string)Hook.Params.server.local
(string)Hook.Params.client.remote
(string)Hook.Params.client.local
(string)Hook.Params.request
(bytes) (currently not usable in Expr language, but will be available in the future via helper functions)
Hook.Result
(map) (usually a superset ofHook.Params
)Hook.Result.server.remote
(string)Hook.Result.server.local
(string)Hook.Result.client.remote
(string)Hook.Result.client.local
(string)Hook.Result.request
(bytes) (currently not usable in Expr language, but will be available in the future via helper functions)Hook.Result.response
(bytes) (currently not usable in Expr language, but will be available in the future via helper functions)- Fields parsed by the
postgres.HandleClientMessage
andpostgres.HandleServerMessage
functions, seewire.go
.
Actions
The action can be run in sync or async mode, and it can return a result or an error. The actions are executed if the policy expressions evaluate to true (boolean) or any other type recognized by the action. The actions have the following fields:
name
: The name of the action, such asterminate
,log
, etc.metadata
: The metadata associated with the action, such as the log message and log level.sync
: Whether the action should be run in sync or async mode.terminal
: Whether the action is terminal or not.run
: The function that is executed when the action is triggered. This is currently written in Go, with support for writing actions in other languages to come.timeout
: Optional value to indicate the timeout for the action in seconds. If not given, theactionTimeout
value of general configuration will be used to determine the timeout. If both of these values have a zero value, the action will run without a timeout.
For example, the action that matches the terminate
policy can be written as:
name: terminate
metadata:
terminate: "stop"
sync: true
terminal: true
The terminate function is available here.
Signals, policies and actions must have the same name to be matched and executed. For example, the
terminate
signal will be matched with theterminate
policy and theterminate
action will be executed if the policy expression evaluates to true.