Skip to main content

OPA

Open Policy Agent (OPA)

Open Policy Agent (OPA) is an open-source, general-purpose policy engine that leverages Rego - a declarative language that simplifies the process of defining authorization rules as a code.

Гобкость OPA позволяет реализовать на его основе любую модель авторизации.

Opa is a powerful ally for organizations that require granular and dynamic access control across their systems.

RBAC

RBAC policy
package rbac.authz

import rego.v1

# user-role assignments
user_roles := {
    "alice": ["engineering", "webdev"],
    "bob": ["hr"],
}

# role-permissions assignments
role_permissions := {
    "engineering": [{"action": "read",  "object": "server123"}],
    "webdev":      [{"action": "read",  "object": "server123"},
                    {"action": "write", "object": "server123"}],
    "hr":          [{"action": "read",  "object": "database456"}],
}

# logic that implements RBAC.
default allow := false
allow if {
    # lookup the list of roles for the user
    roles := user_roles[input.user]
    # for each role in that list
    r := roles[_]
    # lookup the permissions list for role r
    permissions := role_permissions[r]
    # for each permission
    p := permissions[_]
    # check if the permission granted to r matches the user's request
    p == {"action": input.action, "object": input.object}
}

ABAC

ABAC policies
package abac

import rego.v1

# User attributes
user_attributes := {
	"alice": {"tenure": 15, "title": "trader"},
	"bob": {"tenure": 5, "title": "analyst"},
}

# Stock attributes
ticker_attributes := {
	"MSFT": {"exchange": "NASDAQ", "price": 59.20},
	"AMZN": {"exchange": "NASDAQ", "price": 813.64},
}

default allow := false

# all traders may buy NASDAQ under $2M
allow if {
	# lookup the user's attributes
	user := user_attributes[input.user]
	# check that the user is a trader
	user.title == "trader"
	# check that the stock being purchased is sold on the NASDAQ
	ticker_attributes[input.ticker].exchange == "NASDAQ"
	# check that the purchase amount is under $2M
	input.amount <= 2000000
}

# traders with 10+ years experience may buy NASDAQ under $5M
allow if {
	# lookup the user's attributes
	user := user_attributes[input.user]
	# check that the user is a trader
	user.title == "trader"
	# check that the stock being purchased is sold on the NASDAQ
	ticker_attributes[input.ticker].exchange == "NASDAQ"
	# check that the user has at least 10 years of experience
	user.tenure > 10
	# check that the purchase amount is under $5M
	input.amount <= 5000000
}

ReBAC

How to Implement Relationship-Based Access Control (ReBAC) Using Open Policy Agent (OPA)

Links & Docs

Open Policy Agent: Policy-based control for cloud native environments
Comparison to Other Systems
Open Policy Agent Alternatives: OPA vs. Oso
Integrating with the Go SDK