opa-redis-plugin

README

• Overview
• Usage
• Configuration
• Example
• Dependencies
• Currently Implemented Commands
• Executing Arbitrary Commands
• Limitations
• Credits

Overview

This repository contains an OPA plugin that provides Rego bindings for the go-redis library.

Usage

You can use this plugin as a library to embed in your go code:

import (
    "os"

    "github.com/open-policy-agent/opa/cmd"
    "github.com/open-policy-agent/opa/runtime"

    opa_redis_plugin "github.com/tibotix/opa-redis-plugin/plugin"
)

func main() {
	redisManager := opa_redis_plugin.NewRedisManager()
	redisManager.RegisterCommands()

	runtime.RegisterPlugin(opa_redis_plugin.PluginName, opa_redis_plugin.NewFactory(redisManager))

	if err := cmd.RootCommand.Execute(); err != nil {
		os.Exit(1)
	}
}

Configuration

This plugin expects some configuration in the configuration file provided to opa. For example:

opa run -c config.yaml

config.yaml:

plugins:
  redis:
    enabled: true # DEFAULT: true
    address: "redis://${REDIS_USERNAME}:${REDIS_PASSWORD}@${REDIS_HOST}:${REDIS_PORT}/0" # REQUIRED
    max_retries: 3 # DEFAULT: 3
    dial_timeout_in_seconds: 8.0 # DEFAULT: 8
    read_timeout_in_seconds: 2.0 # DEFAULT: 2

Example

When this plugin is enabled, you can use all redis.* functions. Each function name is the lowercase version of the corresponding command, e.g.

CLIENTGETNAME -> redis.clientgetname
GET -> redis.get
SMISMBER -> redis.smismember
[...]

example.rego:

redis.get("key")
redis.smismember("set_key", ["item1", "item2"])

NOTE: On Connection Error all redis calls return undefined.

Dependencies

This plugin depends on the following modules:

• "github.com/go-redis/redis v8.11.5"
• "github.com/open-policy-agent/opa v0.46.1"

Currently Implemented Commands

Please see supported_commands.md

Executing Arbitrary Commands

To execute arbitrary commands, use the redis.do function:

redis.do(["SET", "mykey", "myvalue"])

Limitations

Currently, Redis Transactions and Pipelines are not supported yet. Pull Requests are welcome.

Additionally, opa eval does not work with this plugin, as opa eval does not load plugins.

Credits

Special thanks to the whole OPA team for maintaining OPA and making it open-source, the opa-envoy-plugin maintainer for a good plugin template and code inspirations that this plugin is based on and the go-redis library, which is used internally.