opa

package

v0.0.0-...-1a56975 Latest Latest Go to latest Published: Apr 23, 2019 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

README ¶

Opa adapter

The OPA mixer adapter is an implementation of authorization template that evaluates the client request using the Open Policy Agent engine.

Opa adapter embedded the Open Policy Agent as a library inside a Mixer adapter.

mixer adapter opa

The adapter is responsible for (1) instantiating an Open Policy Agent instance, (2) passing the parameters to Open Policy Agent and getting the evaluation results from OPA at runtime

Configuration flow (1 and 2 in the above figure):

Service producer sets authorization rules via istioctl. The rules are saved in Istio Configuration server.
The authorization adapter fetches the rules and passes to Open Policy Agent.

Runtime flow (3 and 4 in the above figure):

The request context is defined by the authorization template, which has two parts, "subject" defines the client identity, and "action" defines how the resource is accessed.
Open Policy Agent evaluates the request context against the rules, and returns the result.

Configuration

To activate an OPA adapter, operators need to configure the authorization template and the opa adapter.

message Params {
 // List of OPA policies
 repeated string policy = 1;

 // Query method to check, data.<package name>.<method name>
 string check_method = 2;

 // Close the client request when adapter has a issue.
 // If failClose is set to true and there is a runtime error,
 // instead of disabling the adapter, close the client request

 bool fail_close = 3;
}

Example configuration

apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
 name: authorization
 namespace: istio-config-default
spec:
 selector: "true"
 actions:
 - handler: opaHandler.opa.istio-config-default
   instances:
   - authzInstance.authorization.istio-config-default

---

apiVersion: "config.istio.io/v1alpha2"
kind: authorization
metadata:
 name: authzInstance
 namespace: istio-config-default
spec:
 subject:
   user: source.uid | ""
 action:
   namespace: destination.namespace | "default"
   service: destination.service | ""
   method: request.method | ""
   path: request.path | ""

---

apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
 name: opaHandler
 namespace: istio-config-default
spec:
 policy:
   - |+
     package mixerauthz
    policy = [
      {
        "rule": {
          "verbs": [
            "storage.buckets.get"
          ],
          "users": [
            "bucket-admins"
          ]
        }
      }
    ]

    default allow = false

    allow = true {
      rule = policy[_].rule
      input.subject.user = rule.users[_]
      input.action.method = rule.verbs[_]
    }
 checkMethod: "data.mixerauthz.allow"
 failClose: true