Open Policy Agent
OPA defines a specification and enforcement engine for policy-based access control in Cloud computing-native environments.
Concepts
- Policies
- They're expressed in Rego, the policy language.
- Contain any number of Rules.
- Commonly return
true
/false
, but can return any valid JSON value.
- Commonly return
- Can be tested with the included unit testing framework.
- Have access to two global variables:
data
contains the policy datainput
contains the query input.
- Data (JSON)
- Query
- Decision
Overview
sequenceDiagram
actor Client
participant Service
participant OPA
Client->>+Service: Event
Service->>+OPA: Query
OPA-->>-Service: Decision
Service-->>-Client: Result
Workflow
Write a policy:
package example
default allow = false
allow {
input.user.roles[_] == "admin"
}
One-time evaluation
Write a sample input:
{
"user": {
"roles": ["reader"]
}
}
Evaluate it:
opa eval --data policy.rego --input user.json [--raw] 'data.example.allow'
Testing
To test it, we need another policy definition, preferably in a separate package:
package example_test
import data.example.allow
test_allow_false_by_default {
not allow
}
test_allow_false_when_user_lacks_role_admin {
allow with input as {
"user": {
"roles": ["reader", "writer"]
}
}
}
test_allow_true_when_user_has_role_admin {
allow with input as {
"user": {
"roles": ["admin"]
}
}
}
Run the tests:
opa test .
Using the server
opa run --server
POST /v1/data/example/allow
Accept: application/json
Content-Type: application/json
{
"input": {
"user": {
"roles": ["admin"]
}
}
}
Children
Backlinks