openpolicyagent

Policy-based control for cloud native environments

Created: May 22, 2023 by Pradeep Gowda Updated: Nov 04, 2023 Tagged: openpolicyagent · nixos

Home Page: Open Policy Agent Policy-based control for cloud native environments. Flexible, fine-grained control for administrators across the stack > use OPA to decouple policy from the service’s code so you can release, analyze, and review policies (which security and compliance teams love) without sacrificing availability or performance. > Stop using a different policy language, policy model, and policy API for every product and service you use. Use OPA for a unified toolset and framework for policy across the cloud native stack.

Declarative policy (sample code):

Policy:

package application.authz

import future.keywords

# Only owner can update the pet's information
# Ownership information is provided as part of OPA's input
default allow := false

allow if {
    input.method == "PUT"
    some petid
    input.path = ["pets", petid]
    input.user == input.owner
}

Input:

{
    "method": "PUT",
    "owner": "bob@hooli.com",
    "path": [
        "pets",
        "pet113-987"
    ],
    "user": "alice@hooli.com"
}

Output:

{
    "allow": false
}

Rego is the playground to write and evalute policies against input.

See also:

• Packaging Open Policy Agent policies with Nix