Spike: Backend PoC for Centralized Security Policy Management in CSP

Overview

This spike aims to explore and implement a backend-only Proof of Concept for the centralized management of security policies in CSP (Centralized Security Policies). This work is part of Phase I implementation described in the parent epic, focusing on the foundational backend components needed to support policy designation, resolution, and scoping.

The architectural blueprint for this is available at https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/compliance_policy_instance_level_management/.

Objectives

• Validate the technical approach for CSP designation at the instance level
• Implement core backend services for policy resolution that includes instance-level policies
• Create necessary API endpoints to support future UI implementation
• Identify potential performance concerns and optimization opportunities
• Document the technical implementation details for future development

Technical Exploration Areas

1. CSP Designation Storage

   • Explore extending the application_settings.security_policies JSON column OR application_settings.csp_namespace_id to store CSP designation
   • Design data structure for storing CSP configuration and policy scoping information

2. Policy Resolution Service

   • Extend existing policy resolver to include instance-level (CSP) policies
   • Implement deduplication logic to prevent duplicate policies across hierarchy levels
   • Design caching strategy for optimized policy resolution

3. API Development

   • Create API endpoints for CSP configuration and management
   • Implement endpoints for policy scope configuration
   • Update GraphQL API to include instance-level in policy source enumeration

4. Permission Model

   • Implement admin-only permission checks for CSP configuration
   • Ensure proper authorization for policy application at different levels

5. Performance Testing

   • Conduct basic performance testing with various hierarchy depths
   • Identify potential bottlenecks in policy resolution with the additional instance level

Deliverables

1. Working backend implementation of CSP designation
2. Functional policy resolver that includes instance-level policies
3. API endpoints for CSP configuration and policy scoping
4. Technical documentation of implementation approach (updates to https://handbook.gitlab.com/handbook/engineering/architecture/design-documents/compliance_policy_instance_level_management/)
5. Basic performance analysis report (potential implications)
6. Recommendations for full implementation

Out of Scope

• Frontend UI implementation (will be addressed in subsequent issues)
• Integration with compliance frameworks (part of Phase II)
• Full end-to-end testing with UI components
• Production-ready implementation (this is a PoC)

Implementation Approach

We'll follow the implementation plan outlined in the parent epic, focusing on Iterations 1 and 2 for this spike:

1. Implement CSP designation foundation
2. Enhance policy resolution to include instance-level policies
3. Create backend logic for policy scope configuration

Time Estimate

2 weeks

Related Information

This spike supports the workflows described in the parent epic, specifically focusing on the backend implementation needed to:

• Designate a CSP
• Create and configure CSP security policies
• Scope policies to groups/subgroups and projects
• Store CSP policies configuration
• Apply policies based on scope configuration

Success Criteria

• Backend services can designate a group as CSP
• Policy resolver correctly includes instance-level policies
• API endpoints are available for future UI implementation
• Basic performance testing shows acceptable results
• Technical approach is documented for future implementation