Documentation
¶
Overview ¶
Package opa is a Authorizer that reads Open Policy Agent Rego policies from a `opa_policy` claim in a JWT token and allow requests based on evaluation of the policy
The only query done against the policy is `choria.aaa.policy.allow`, you should write your policies default deny and allow only specific cases.
A number of custom functions exist to assert over filters:
* `requires_filter()` - ensures that at least one of identity, class, compound of fact filters is not empty * `requires_fact_filter("country=mt")` - ensures the specific fact filter is present in the request * `requires_class_filter("apache")` - ensures the specific class filter is present in the request * `requires_identity_filter("some.node")` - ensures the specific identity filter is present in the request
The following data is exposed to rego:
* `agent` - the agent being invoked * `action` - the action being invoked * `data` - the contents of the request - all the inputs * `sender` - the sender host * `collective` - the targeted sub collective * `ttl` - the ttl of the request * `time` - the time the request was made * `site` - the site hosting the aaasvcs (from its config) * `claims` - all the JWT claims
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Authorizer ¶
type Authorizer struct {
// contains filtered or unexported fields
}
Authorizer authorizes requests based on Open Policy Agent policies
func New ¶
func New(log *logrus.Entry, site string) *Authorizer
New creates a new Open Policy Agent authorizer
func (*Authorizer) Authorize ¶
func (a *Authorizer) Authorize(req protocol.Request, claims *tokens.ClientIDClaims) (allowed bool, err error)
Authorize implements authorizers.Authorizer
Source Files