Microservices Authorization via Open Policy Agent
Let’s see how microservices authorization can be achieved by Open Policy Agent with a simple example.
What is Authorization?
General Definition of Authorization is the function of specifying access rights/privileges to resources.
What is an Open Policy Agent?
Here is the quote from OPA.
The Open Policy Agent (OPA, pronounced “oh-pa”) is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.
How does OPA Policy Enforcement work?
OPA decouples policy decision-making from policy enforcement. When your software needs to make policy decisions it queries OPA and supplies structured data (e.g., JSON) as input. OPA accepts arbitrary structured data as input.
OPA generates policy decisions by evaluating the query input and against policies and data.
Policies are defined in the language called Rego.
Let's see an example,
This example explains How the Group Management microservices deal authorization using OPA.
Here are the considerations for Group Management,
- Groups can be either public or private.
- Public users can view the Public Group but can’t manage public groups.
- Private Groups can be viewed by Both Group Members and Group Admins and Super Admins.
- Private Groups can be managed by only Group Admins and Super Admins.
Here is the Github Repository which has all the files required for the above-mentioned example. Please check the README file for the local setup.
Please refer to https://www.openpolicyagent.org/docs/latest/ for more details.
