DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • An Introduction to Type Safety in JavaScript With Prisma
  • Building With Open Policy Agent (OPA) for Better Policy as Code
  • The First Annual Recap From JPA Buddy
  • Building REST API Backend Easily With Ballerina Language

Trending

  • Cookies Revisited: A Networking Solution for Third-Party Cookies
  • The Cypress Edge: Next-Level Testing Strategies for React Developers
  • Measuring the Impact of AI on Software Engineering Productivity
  • How Large Tech Companies Architect Resilient Systems for Millions of Users
  1. DZone
  2. Data Engineering
  3. Databases
  4. Open Policy Agent, Part II - Developing Policies

Open Policy Agent, Part II - Developing Policies

Go behind the scenes of Open Policy Agent.

By 
Ales Nosek user avatar
Ales Nosek
·
Updated Nov. 15, 19 · Analysis
Likes (5)
Comment
Save
Tweet
Share
9.4K Views

Join the DZone community and get the full member experience.

Join For Free

man-in-mask-walking-under-cameras

In the previous part of the series, we explored Open Policy Agent and implemented an ACL-based access control for our application. In this entry, I am going to share with you some of the discoveries that I made while evaluating Open Policy Agent in regards to policy design and development.

Policy Design

After evaluating policy rules, OPA returns a result of the policy decision to your application. This result is a JSON structure. Based on your requirements, this JSON structure can contain a single member holding a true or false (authorized/not authorized) value. However, you can create policies whose evaluation results in an arbitrarily complex JSON document. For example, OPA can return a list of nodes on which Kubernetes should schedule a workload.

In microservice applications, OAuth 2.0 is a rather popular authorization framework used to secure services' APIs. It typically leverages JSON Web Tokens (JWT) to convey claims. OPA comes with built-in functions that can decode the token and validate its signature and expiration time. Furthermore, your policy rules can make decisions based on the claims included in the token. Just forward the token as an input to OPA and offload the entire token processing from your application!

You may also like: Everything About HTTPS and SSL (Java).

OPA makes policy decisions based on the data stored in memory. In the case of large data sets, replicating all the data in memory can be impractical. While evaluating policy rules, is OPA able to reach out to an external data store to get additional data for decision making? For example, send a query to LDAP to grab additional attributes or look up data in an SQL database?

Based on my research, I think there are two possible approaches for leveraging external data sources in OPA. First, there is a built-in HTTP function that can fetch data from external HTTP services during policy evaluation. Second, you can leverage Partial Evaluation, as described in this blog post.

While partially evaluating policies, OPA doesn't return a complete policy decision, but, instead, it returns a set of conditions. It is left to you to translate this set of conditions into a query appropriate for your datastore and execute the query in order to obtain the final policy decision. Note that regardless of which approach you choose, reaching out to external data stores will have negative impact on latency and reliability of your solution. Caching data in OPA's memory is always a better option assuming that it suits your use case.

If you have raw data that would be difficult to write a policy against, you can pre-process that data into a form that better suits the policy writing before importing it into OPA. Moreover, if you have multiple sources of data, e.g. data from LDAP and Active Directory, you can merge them outside of OPA and load the merged form into OPA.

RBAC (Role-Based Access Control) and ABAC (Attribute-Based Access Control) are two frequently used policy models. Are you wondering if you can implement them using OPA? Of course you can! Follow these two links to find sample implementations of RBAC and ABAC.

Hierarchical group permissions are commonly found in practice, e.g. parent group permissions are a superset of child group permissions. These models can be elegantly described using recursive rules. However, at the time of this writing, OPA doesn't support recursion in policies.

Developing Policies

While learning the OPA's Rego language, I appreciated the built-in interactive shell (REPL) that I could use to write and test my policies instantly. Just type opa run, and you are good to go. Alternatively, you can go online and utilize the Rego Playground too.

If you are dealing with complex policies, how do you ensure that you implemented your policies correctly? OPA allows you to write test cases that you can run against your policies. You can use data mocking and calculate test coverage. See also the command opa test.

Is the evaluation of your policies too slow? OPA comes with a profiler to report on time spent on evaluating policy expressions. See also the opa eval command.

OPA comes with a formatting tool opa fmt to format Rego policy files. You don't need to fight battles with other developers about how the Rego files should be formatted!

OPA is a relatively new project; however, additional tooling and integrations with OPA are showing up quickly. If you like to use Visual Studio Code, there is a feature-rich VS Code plugin available for you. Rego syntax highlighting is available for several other editors like VIM, Atom, and TextMate.

Conclusion

In this blog post, I shared with you several tips and approaches for how to design policies in Open Policy Agent. In the final article in the series, we will focus on how you can integrate Open Policy Agent with your application.

If you have any comments or questions, please use the comment section below. I look forward to hearing from you.


Further Reading

  • Working With LDAP and Active Directory,
  • PGP Encryption in Mule 4: How it Works,
Opa (programming language) Data (computing) application Database code style Evaluation JSON Syntax highlighting Data store Visual Studio Code

Published at DZone with permission of Ales Nosek. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • An Introduction to Type Safety in JavaScript With Prisma
  • Building With Open Policy Agent (OPA) for Better Policy as Code
  • The First Annual Recap From JPA Buddy
  • Building REST API Backend Easily With Ballerina Language

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!