Opa adapter
The OPA mixer adapter is an implementation of authorization template
that evaluates the client request using the Open Policy Agent engine.
Opa adapter embedded the Open Policy Agent as a library inside a Mixer adapter.
![mixer adapter opa](https://github.com/baranov1ch/istio/raw/730bba41e601/mixer/adapter/opa/mixer_adapter_opa.png)
The adapter is responsible for (1) instantiating an Open Policy Agent instance,
(2) passing the parameters to Open Policy Agent and getting the evaluation results from OPA at runtime
- Service producer sets authorization rules via istioctl. The rules are saved in Istio Configuration server.
- The authorization adapter fetches the rules and passes to Open Policy Agent.
- The request context is defined by the authorization template, which has two parts, "subject" defines the client identity, and "action" defines how the resource is accessed.
- Open Policy Agent evaluates the request context against the rules, and returns the result.
To activate an OPA adapter, operators need to configure the
authorization template and the
opa adapter.
message Params {
// List of OPA policies
repeated string policy = 1;
// Query method to check, data.<package name>.<method name>
string check_method = 2;
// Close the client request when adapter has a issue.
// If failClose is set to true and there is a runtime error,
// instead of disabling the adapter, close the client request
bool fail_close = 3;
Example configuration
apiVersion: "config.istio.io/v1alpha2"
kind: rule
name: authorization
namespace: istio-config-default
selector: "true"
- handler: opaHandler.opa.istio-config-default
- authzInstance.authorization.istio-config-default
apiVersion: "config.istio.io/v1alpha2"
kind: authorization
name: authzInstance
namespace: istio-config-default
user: source.uid | ""
namespace: target.namespace | "default"
service: target.service | ""
method: request.method | ""
path: request.path | ""
apiVersion: "config.istio.io/v1alpha2"
kind: opa
name: opaHandler
namespace: istio-config-default
- |+
package mixerauthz
policy = [
"rule": {
"verbs": [
"users": [
default allow = false
allow = true {
rule = policy[_].rule
input.subject.user = rule.users[_]
input.action.method = rule.verbs[_]
checkMethod: "data.mixerauthz.allow"
failClose: true