OPA
Notes from a presentation at work.
Open Policy Agent is a general purpose policy1 engine whose rules are written in Rego. It allows you to write policy as code.
- Separates policy decisions from enforcement;
- Decouples policy from business logic;
- Context-aware policy enforcement.
- Rules written in a language called Rego.
There are three core components:
- input
- some JSON data
- policy
- written in Rego
- decision
- allow := true/false
It can be integrated as a REST API, a sidecar, or gatekeeper.
As an example, consider a system where users with a role of "admin" can perform a "delete" operation; any role can perform a "read" or "write" operation. You can test this on the OPA playground.
#+beginsrc: rego package play
default allow := false
allow if {
input.user.roles = "admin"
input.operation = "delete"
}
allow if {
input.user.role != "" input.operation in ["read", "write"] } #+endsrc
You can integrate it into CI/CD pipelines to enforce deployment policies, and integrate with systems like Terraform to do the same.
Footnotes:
Policies are a set of rules for authorization and access control.