Open Policy Agent (OPA) Introduction

What is OPA?

Started in 2016, it is a project aimed at unifying policy enforcement across technologies and systems. OPA is used by giant players in the tech industry today. For example, Netflix uses OPA to control access to its internal API resources. Chef uses it to provide IAM capabilities in their products for end users. In addition, many other companies like Cloudflare, Pinterest, and others use OPA to enforce policies across their platforms (such as Kubernetes clusters). OPA is currently part of the CNCF as an incubation project.

What does OPA offer?

How did OPA come about, you may ask? What problems is it trying to solve? Indeed, policy enforcement for APIs and microservices is as old as microservices themselves. There has never been a production-level application that did not provide any kind of access control, authorization, and policy enforcement. To understand the role of OPA, consider the following use case: Your company sells laptops through an online portal. Like all other similar apps, the portal consists of a home page where customers see the latest offers, possibly some limited-time promotions. If customers want to buy something, they need to sign in or create an account. They then make payments using their credit cards or other means. To make your customers visit you constantly,you invite them to subscribe to your newsletter, which may contain special discounts. Alternatively, they can choose to receive browser notifications as soon as new products are announced. Typical online shopping app, isn't it? Now let's depict how this workflow will look like in a diagram to visualize the process:

, . , . , . , ( ) S3, , API . ? , , . ? , ( ) API- , ? , , ? , . , . , , AWS IAM. . , :

• — . , , . , S3, MySQL, MongoDB , , API, .
• . , , : .
• , , , .
• , ? , HR.
• , , , . .
• , . , , Kubernetes, API-, , Java, Ruby PHP. .

Kubernetes . , , :

• .
• , , .
• Ingress TLS, .
• - .

, RBAC Pod . , . Kubernetes RBAC , Kubernetes.

Open Policy Agent (OPA). OPA .

OPA?

, OPA , — , «». , «».

, . . API, . , . , , , , , GET API / payment / jane. . JSON . , , -, , Payments API , . OPA :

1. Payments API OPA. , HTTP, , , . .
2. OPA .
3. OPA API .

, OPA . OPA :

OPA — , . API, SSH Linux, , CEPH, . . OPA - . , . JSON , . , OPA, JSON. , , . , , OPA JSON True False, , .

OPA

OPA , . , .

: Rego

Rego — , OPA. , : GET- /api/v1/products



? ?

OPA, :

• Go: Golang, OPA .
• : Go, OPA, , . . , . , OPA, Kubernetes , , , . , , OPA , , , OPA. .

OPA?

, , OPA . , OPA . OPA API, :

• API Bundle: OPA. OPA API Bundle . .
• API : . , OPA.
• API : , OPA , . API . .
• , : , , , opa test, opa run, opa check . . VS Code.

OPA

, OPA, , , . , — Rego. — . :

« . ».

Rego. Rego. , , , :

package play

# Customers should be able to view their own payments
allow = true {
    input.method = "GET"
      input.path = ["payments", customer_id]
      input.user = customer_id
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

:

1. , (#), . , , , .
2. allow = true
   
   
   
   , , «» .
3. — GET. HTTP (POST, PUT . .) .
4. : /payments/customer_id
   
   
   
   . , customer_id
   
   
   
   , , , .
5. customer_id
   
   
   
   .

, :

« , GET, — /payments/customer_id



, — customer_id



. ».

Rego , . INPUT , :

{
    "method": "GET",
    "path": ["payments","bob"],
    "user": "bob"
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, INPUT JSON. , . , OPA , Evaluate. OUTPUT :

{
    "allow": true
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

:

alice, , . Evaluate, , JSON {}. , OPA , , . , :

default allow = false
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, :

package play

# Customers should be able to view their own payments
default allow = false
allow = true {
    input.method = "GET"
      input.path = ["payments", customer_id]
      input.user = customer_id
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, Evaluate, :

{
    "allow": false
}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, Rego , . , , , . , .

, , , : .

, :

allow = true {
    input.method = "GET"
    input.path = ["payments", customer_id]
    finance[input.user]
}

finance = {"john","mary","peter","vivian"}
      
      

        
        
        
      

    
        
        
        
      
      

        
        
        
      

    
    

, 4. , , , JSON. Rego , , . , , . JSON INPUT . , (, bob). . john ( ) . , . , , (, ), false.

Rego , , .

OPA

, OPA . , OPA :

Kubernetes:

• , .
• , , Docker.
• , .

API:

• OPA Envoy, Istio IAM. , .

Linux PAM:

• (PAM) Linux , SSH sudo. OPA PAM, PAM . , SSH , .

, OPA, . , Kafka, ElasticSearch, SQLite CEPH .

TL; DR

• , .
• , , . , API- , , . , .
• OPA , , . OPA, OPA .
• OPA . , - , . JSON.
• Rego, , OPA. JavaScript, OPA OPA.
• «Rego» — .
• OPA Go, , .
• API, OPA . , Kubernetes , . .
• OPA API-, , .
• , Rego . , Rego « ».
• OPA can integrate with many modern systems and platforms such as Kubernetes, Kafka, SQLite, CEPH, and Terraform. With the PAM plug-in, it can also integrate with Linux PAM to provide advanced policy control on Linux daemons using PAM (such as sshd and sudo).