README
¶
Open Policy Agent
Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.
OPA is proud to be a graduated project in the Cloud Native Computing Foundation (CNCF) landscape. For details read the CNCF announcement.
Get started with OPA
- Write your first Rego policy with the Rego Playground or use it to share your work with others for feedback and support. Have a look at the Access Control examples if you're not sure where to start.
- Install the VS Code extension to get started locally with live diagnostics, debugging and formatting. See Editor and IDE Support for other supported editors.
- Go to the OPA Documentation to learn about the Rego language as well as how to deploy and integrate OPA.
- Check out the learning resources in the Learning Rego section of the ecosystem directory.
- Follow the Running OPA instructions to get started with the OPA CLI locally.
- See Docker Hub for container images and the GitHub releases for binaries.
- Check out the OPA Roadmap to see a high-level snapshot of OPA features in-progress and planned.
Want to talk about OPA or get support?
- Join the OPA Slack to talk to other OPA users and maintainers. See
#helpfor support. - Check out the Community Discussions to ask questions.
Interested to learn what others are doing with OPA?
- Browse community projects on the OPA Ecosystem Directory - don't forget to list your own!
- Check out the ADOPTERS.md file for a list of production adopters. Does your organization use OPA in production? Support the OPA project by submitting a PR to add your organization to the list with a short description of your OPA use cases!
Want to integrate OPA?
- See the high-level Go SDK or the low-level Go API
to integrate OPA with services written in Go. - See the REST API reference to integrate OPA with services written in other languages.
- See the integration docs for more options.
Want to contribute to OPA?
- Read the Contributing Guide to learn how to make your first contribution.
- Use #contributors in Slack to talk to other contributors and OPA maintainers.
- File a GitHub Issue to request features or report bugs.
How does OPA work?
OPA gives you a high-level declarative language to author and enforce policies across your stack.
With OPA, you define rules that govern how your system should behave. These rules exist to answer questions like:
- Can user X call operation Y on resource Z?
- What clusters should workload W be deployed to?
- What tags must be set on resource R before it's created?
You integrate services with OPA so that these kinds of policy decisions do not have to be hardcoded in your service. Services integrate with OPA by executing queries when policy decisions are needed.
When you query OPA for a policy decision, OPA evaluates the rules and data (which you give it) to produce an answer. The policy decision is sent back as the result of the query.
For example, in a simple API authorization use case:
- You write rules that allow (or deny) access to your service APIs.
- Your service queries OPA when it receives API requests.
- OPA returns allow (or deny) decisions to your service.
- Your service enforces the decisions by accepting or rejecting requests accordingly.
For concrete examples of how to integrate OPA with systems like Kubernetes, Terraform, Docker, SSH, and more, see openpolicyagent.org.
Presentations
- Open Policy Agent (OPA) Intro & Deep Dive @ Kubecon NA 2023: video
- Open Policy Agent (OPA) Intro & Deep Dive @ Kubecon EU 2023: video
- Running Policy in Hard to Reach Places with WASM & OPA @ CN Wasm Day EU 2023: video
- OPA maintainers talk @ Kubecon NA 2022: video
- Open Policy Agent (OPA) Intro & Deep Dive @ Kubecon EU 2022: video
- Open Policy Agent Intro @ KubeCon EU 2021: Video
- Using Open Policy Agent to Meet Evolving Policy Requirements @ KubeCon NA 2020: video
- Applying Policy Throughout The Application Lifecycle with Open Policy Agent @ CloudNativeCon 2019: video
- Open Policy Agent Introduction @ CloudNativeCon EU 2018: video, slides
- Rego Deep Dive @ CloudNativeCon EU 2018: video, slides
- How Netflix Is Solving Authorization Across Their Cloud @ CloudNativeCon US 2017: video, slides.
- Policy-based Resource Placement in Kubernetes Federation @ LinuxCon Beijing 2017: slides, screencast
- Enforcing Bespoke Policies In Kubernetes @ KubeCon US 2017: video, slides
- Istio's Mixer: Policy Enforcement with Custom Adapters @ CloudNativeCon US 2017: video, slides
Security
A third party security audit was performed by Cure53, you can see the full report here.
Please report vulnerabilities by email to open-policy-agent-security. We will send a confirmation message to acknowledge that we have received the report and then we will send additional messages to follow up once the issue has been investigated.
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
Package ast declares Rego syntax tree types and also includes a parser and compiler for preparing policies for execution in the policy engine.
|
Package ast declares Rego syntax tree types and also includes a parser and compiler for preparing policies for execution in the policy engine. |
|
location
Package location defines locations in Rego source code.
|
Package location defines locations in Rego source code. |
|
build
|
|
|
Package bundle implements bundle loading.
|
Package bundle implements bundle loading. |
|
Package cmd contains the entry points for OPA commands.
|
Package cmd contains the entry points for OPA commands. |
|
Package compile implements bundles compilation and linking.
|
Package compile implements bundles compilation and linking. |
|
Package config implements OPA configuration file parsing and validation.
|
Package config implements OPA configuration file parsing and validation. |
|
Package cover reports coverage on modules.
|
Package cover reports coverage on modules. |
|
Package debug EXPERIMENTAL: This package is under active development and is subject to change.
|
Package debug EXPERIMENTAL: This package is under active development and is subject to change. |
|
Package dependencies provides functions for determining the set of ast.Refs that AST elements depend on.
|
Package dependencies provides functions for determining the set of ast.Refs that AST elements depend on. |
|
Package download implements low-level OPA bundle downloading.
|
Package download implements low-level OPA bundle downloading. |
|
features
|
|
|
wasm
Import this package to enable evaluation of rego code using the built-in wasm engine.
|
Import this package to enable evaluation of rego code using the built-in wasm engine. |
|
Package format implements formatting of Rego source files.
|
Package format implements formatting of Rego source files. |
|
internal
|
|
|
cidr/merge
Package merge provides helper functions for merging a list of IP addresses and subnets into the smallest possible list of CIDRs.
|
Package merge provides helper functions for merging a list of IP addresses and subnets into the smallest possible list of CIDRs. |
|
compiler/wasm
Package wasm contains an IR->WASM compiler backend.
|
Package wasm contains an IR->WASM compiler backend. |
|
compiler/wasm/opa
Package opa contains bytecode for the OPA-WASM library.
|
Package opa contains bytecode for the OPA-WASM library. |
|
config
Package config implements helper functions to parse OPA's configuration.
|
Package config implements helper functions to parse OPA's configuration. |
|
edittree
Package EditTree implements a specialized tree data structure that allows for cheap edits and modifications of nested Term structures.
|
Package EditTree implements a specialized tree data structure that allows for cheap edits and modifications of nested Term structures. |
|
edittree/bitvector
Package bitvector provides the implementation of a variable sized compact vector of bits which supports lookups, sets, appends, insertions, and deletions.
|
Package bitvector provides the implementation of a variable sized compact vector of bits which supports lookups, sets, appends, insertions, and deletions. |
|
file/url
Package url contains helpers for dealing with file paths and URLs.
|
Package url contains helpers for dealing with file paths and URLs. |
|
gojsonschema
nolint: goconst // String duplication will be handled later by using errors.Is.
|
nolint: goconst // String duplication will be handled later by using errors.Is. |
|
jwx/buffer
Package buffer provides a very thin wrapper around []byte buffer called `Buffer`, to provide functionalities that are often used within the jwx related packages
|
Package buffer provides a very thin wrapper around []byte buffer called `Buffer`, to provide functionalities that are often used within the jwx related packages |
|
jwx/jwk
Package jwk implements JWK as described in https://tools.ietf.org/html/rfc7517
|
Package jwk implements JWK as described in https://tools.ietf.org/html/rfc7517 |
|
jwx/jws
Package jws implements the digital Signature on JSON based data structures as described in https://tools.ietf.org/html/rfc7515
|
Package jws implements the digital Signature on JSON based data structures as described in https://tools.ietf.org/html/rfc7515 |
|
leb128
Package leb128 implements LEB128 integer encoding.
|
Package leb128 implements LEB128 integer encoding. |
|
merge
Package merge contains helpers to merge data structures frequently encountered in OPA.
|
Package merge contains helpers to merge data structures frequently encountered in OPA. |
|
pathwatcher
Package pathwatcher provides helper functions for creating file and directory watchers
|
Package pathwatcher provides helper functions for creating file and directory watchers |
|
planner
Package planner contains a query planner for Rego queries.
|
Package planner contains a query planner for Rego queries. |
|
presentation
Package presentation prints results of an expression evaluation in json and tabular formats.
|
Package presentation prints results of an expression evaluation in json and tabular formats. |
|
providers/aws
modified from github.com/aws/aws-sdk-go-v2/internal/v4a@7a32d707af
|
modified from github.com/aws/aws-sdk-go-v2/internal/v4a@7a32d707af |
|
ref
Package ref implements internal helpers for references
|
Package ref implements internal helpers for references |
|
report
Package report provides functions to report OPA's version information to an external service and process the response.
|
Package report provides functions to report OPA's version information to an external service and process the response. |
|
runtime
Package runtime contains utilities to return runtime information on the OPA instance.
|
Package runtime contains utilities to return runtime information on the OPA instance. |
|
runtime/init
Package init is an internal package with helpers for data and policy loading during initialization.
|
Package init is an internal package with helpers for data and policy loading during initialization. |
|
semver
Package semver has been vendored from: https://github.com/coreos/go-semver/tree/e214231b295a8ea9479f11b70b35d5acf3556d9b/semver A number of the original functions of the package have been removed since they are not required for our built-ins.
|
Package semver has been vendored from: https://github.com/coreos/go-semver/tree/e214231b295a8ea9479f11b70b35d5acf3556d9b/semver A number of the original functions of the package have been removed since they are not required for our built-ins. |
|
storage/mock
Package mock defines a fake storage implementation for use in testing.
|
Package mock defines a fake storage implementation for use in testing. |
|
strings
Package strings contains helpers to perform string manipulation
|
Package strings contains helpers to perform string manipulation |
|
strvals
Package strvals provides tools for working with strval lines.
|
Package strvals provides tools for working with strval lines. |
|
version
Package version implements helper functions for the stored version.
|
Package version implements helper functions for the stored version. |
|
wasm/constant
Package constant contains WASM constant definitions.
|
Package constant contains WASM constant definitions. |
|
wasm/encoding
Package encoding implements WASM module reading and writing.
|
Package encoding implements WASM module reading and writing. |
|
wasm/instruction
Package instruction defines WASM instruction types.
|
Package instruction defines WASM instruction types. |
|
wasm/opcode
Package opcode contains constants and utilities for working with WASM opcodes.
|
Package opcode contains constants and utilities for working with WASM opcodes. |
|
wasm/types
Package types defines the WASM value type constants.
|
Package types defines the WASM value type constants. |
|
Package ir defines an intermediate representation (IR) for Rego.
|
Package ir defines an intermediate representation (IR) for Rego. |
|
Package loader contains utilities for loading files into OPA.
|
Package loader contains utilities for loading files into OPA. |
|
Package metrics contains helpers for performance metric management inside the policy engine.
|
Package metrics contains helpers for performance metric management inside the policy engine. |
|
Package plugins implements plugin management for the policy engine.
|
Package plugins implements plugin management for the policy engine. |
|
bundle
Package bundle implements bundle loading.
|
Package bundle implements bundle loading. |
|
discovery
Package discovery implements configuration discovery.
|
Package discovery implements configuration discovery. |
|
logs
Package logs implements decision log buffering and uploading.
|
Package logs implements decision log buffering and uploading. |
|
rest
Package rest implements a REST client for communicating with remote services.
|
Package rest implements a REST client for communicating with remote services. |
|
server/decoding
Package decoding implements the configuration side of the upgraded gzip decompression framework.
|
Package decoding implements the configuration side of the upgraded gzip decompression framework. |
|
status
Package status implements status reporting.
|
Package status implements status reporting. |
|
Package profiler computes and reports on the time spent on expressions.
|
Package profiler computes and reports on the time spent on expressions. |
|
Package refactor implements different refactoring operations over Rego modules.
|
Package refactor implements different refactoring operations over Rego modules. |
|
Package rego exposes high level APIs for evaluating Rego policies.
|
Package rego exposes high level APIs for evaluating Rego policies. |
|
Package repl implements a Read-Eval-Print-Loop (REPL) for interacting with the policy engine.
|
Package repl implements a Read-Eval-Print-Loop (REPL) for interacting with the policy engine. |
|
Package runtime contains the entry point to the policy engine.
|
Package runtime contains the entry point to the policy engine. |
|
Package sdk contains a high-level API for embedding OPA inside of Go programs.
|
Package sdk contains a high-level API for embedding OPA inside of Go programs. |
|
Package server contains the policy engine's server handlers.
|
Package server contains the policy engine's server handlers. |
|
authorizer
Package authorizer provides authorization handlers to the server.
|
Package authorizer provides authorization handlers to the server. |
|
identifier
Package identifier provides handlers for associating identity information with incoming requests.
|
Package identifier provides handlers for associating identity information with incoming requests. |
|
types
Package types contains request/response types and codes for the server.
|
Package types contains request/response types and codes for the server. |
|
writer
Package writer contains utilities for writing responses in the server.
|
Package writer contains utilities for writing responses in the server. |
|
Package storage exposes the policy engine's storage layer.
|
Package storage exposes the policy engine's storage layer. |
|
disk
Package disk provides disk-based implementation of the storage.Store interface.
|
Package disk provides disk-based implementation of the storage.Store interface. |
|
inmem
Package inmem implements an in-memory version of the policy engine's storage layer.
|
Package inmem implements an in-memory version of the policy engine's storage layer. |
|
internal/errors
Package errors contains reusable error-related code for the storage layer.
|
Package errors contains reusable error-related code for the storage layer. |
|
internal/ptr
Package ptr provides utilities for pointer operations using storage layer paths.
|
Package ptr provides utilities for pointer operations using storage layer paths. |
|
test
|
|
|
authz
Package authz contains unit and benchmark tests for authz use-cases The public (non-test) APIs are meant to be used as helpers for other tests to build off of.
|
Package authz contains unit and benchmark tests for authz use-cases The public (non-test) APIs are meant to be used as helpers for other tests to build off of. |
|
cases
Package cases contains utilities for evaluation test cases.
|
Package cases contains utilities for evaluation test cases. |
|
e2e/authz
nolint: deadcode,unused // build tags confuse these linters
|
nolint: deadcode,unused // build tags confuse these linters |
|
e2e/wasm/authz
nolint: deadcode,unused // build tags confuse these linters
|
nolint: deadcode,unused // build tags confuse these linters |
|
Package tester contains utilities for executing Rego tests.
|
Package tester contains utilities for executing Rego tests. |
|
Package topdown provides low-level query evaluation support.
|
Package topdown provides low-level query evaluation support. |
|
builtins
Package builtins contains utilities for implementing built-in functions.
|
Package builtins contains utilities for implementing built-in functions. |
|
cache
Package cache defines the inter-query cache interface that can cache data across queries
|
Package cache defines the inter-query cache interface that can cache data across queries |
|
Package tracing enables dependency-injection at runtime.
|
Package tracing enables dependency-injection at runtime. |
|
Package types declares data types for Rego values and helper functions to operate on these types.
|
Package types declares data types for Rego values and helper functions to operate on these types. |
|
Package util provides generic utilities used throughout the policy engine.
|
Package util provides generic utilities used throughout the policy engine. |
|
test
Package test contains utilities used in the policy engine's test suite.
|
Package test contains utilities used in the policy engine's test suite. |
|
Package version contains version information that is set at build time.
|
Package version contains version information that is set at build time. |
Click to show internal directories.
Click to hide internal directories.