OPA is a great tool for implementing a policy-as-code system. But if you're trying to use it for application authorization (e.g. fine-grained authz for B2B SaaS or a set of internal applications), you may find that its policy story is strong, but it doesn't really have a "data plane": you either store data in a data.json file and rebuild the policy any time that data changes, or make an http.send call out of the policy to fetch dynamic data.<p>Check out Topaz [0], which uses OPA as its decision engine, but adds a data plane that is based on the ReBAC ideas explored in the Google Zanzibar [1] paper.<p>Disclaimer: I work on the team [2] that builds and maintains the Topaz project.<p>[0] <a href="https://www.topaz.sh" rel="nofollow">https://www.topaz.sh</a><p>[1] <a href="https://research.google/pubs/zanzibar-googles-consistent-global-authorization-system" rel="nofollow">https://research.google/pubs/zanzibar-googles-consistent-glo...</a><p>[2] <a href="https://www.aserto.com" rel="nofollow">https://www.aserto.com</a>
My team is using OPA in a re-build of an application that we support. One of the main goals of the rebuild is to ensure we don't end up in a situation where every little rule change (including UAM changes) requires a full rebuild/deploy cycle of the app.<p>OPA replaces a complex hard-coded, and largely inscrutable UAM model with a (still complex), but flexibly defined, independently testable, and easily inspectable single-responsibility model.<p>I like that OPA has built in support for testing rulesets. The partial evaluation feature is amazing, ands makes it easy to apply UAM filters to endpoints that return large sets of data (we have consistent query APIs across the app, so could do this with a relatively simple OPA-aware proxy).<p>It's not all sunshine and roses, and the result might seem overly complex for a lot of use cases, but in our case I think OPA has provided a nice clean abstraction and enabled us to disentangle our UAM from the rest of our code and move more quickly overall.
We're currently evaluating OPA for adding RBAC to our open-source application [0]. We plan on using the Go API [1] and doing the policy eval directly in our app since our app is also written in Go.<p>The thinking is we'll have some basic built-in policies (like admins can do X, editors can do Y, etc) but also allow users to configure their own policies if they want by writing rego and loading their policy rules at startup time (via config). We'd document the inputs that we pass to the evaluation call such as request headers, IP, role, etc.<p>I'm curious if anyone has ever tried something like this or similar?<p>[0] <a href="https://github.com/flipt-io/flipt">https://github.com/flipt-io/flipt</a><p>[1] <a href="https://www.openpolicyagent.org/docs/latest/integration/#integrating-with-the-go-api" rel="nofollow">https://www.openpolicyagent.org/docs/latest/integration/#int...</a>
I have found OPA to be a fairly reliable and performant system in production. We were able to build a scalable RBAC solution that used OPA as evaluators. We had around 40k OPA instances serving around 350K qps with p99.9 hovering around 6ms.<p>You can find our talk here <a href="https://www.styra.com/resources/videos/snap-inc--snaps-journey-to-standardizing-internal-authz-typ/" rel="nofollow">https://www.styra.com/resources/videos/snap-inc--snaps-journ...</a>
Curious what folks think about this versus cedar (<a href="https://www.cedarpolicy.com/" rel="nofollow">https://www.cedarpolicy.com/</a>), the open source policy engine behind aws verified permissions.
I tried to implement some simpler cases with the policy language, Rego (<a href="https://www.openpolicyagent.org/docs/latest/policy-language/" rel="nofollow">https://www.openpolicyagent.org/docs/latest/policy-language/</a>), of OPA and found it overly cumbersome. A simple check like "if user is in group A and in group C, but must not be in group C" is hard to express in this language. It would be a trivial task in any somewhat decent programming language (e.g. JavaScript).<p>I understand why restricting the possibilities with an external DSL might be a good idea, but I consider Rego to be to restricted. I mean, in the the a policy is just a function saying basically "yes" or "no" (I know, it's not that simple with OPA, but it boils down to access yes/no, anyway).
OPA and its derivative projects really brought the idea of decoupled authorization as a viable option. It is a very powerful tool which can be applied to many layers of the architecture - from Kubernetes Admission Controllers being based on it through to network level authorization and up the full stack.<p>One area that is a constrained and narrow use case is around the actual application level permissions - eg what a user can do inside of your service. Having hand-rolled this in various companies - and the inevitable rebuilds that were required as requirements change such as adding a new, product packaging updates etc - you do end up with a complex web of logic - ether in your codebase or as Rego.<p>For these application level permissions - where the requirements really come from the product/business rather than engineering - I always felt there could be a simpler way of defining this rules. Policies needed to be in a format a business user could understand, and enforcing them needs to be extremely responsive as checks are in the blocking path of every request - and this needs to work at large scale - all whilst making every decision auditable to tick all the regulatory and compliance needs around access controls.<p>To this effect we begun working on Cerbos[0] a few years ago which initially targets that one specific use case - models policy in simple YAML [1] (love it or hate it!) and takes a stateless approach meaning it is infinitely scalable with none of the headache of synchronizing information about your users or resources to the authZ layer, also critically generates that single audit log of decisions.<p>Disclaimer: I work on the team that builds and maintains Cerbos[2].<p>[0] <a href="https://github.com/cerbos/cerbos">https://github.com/cerbos/cerbos</a><p>[1] <a href="https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje" rel="nofollow">https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje</a><p>[2] <a href="https://cerbos.dev" rel="nofollow">https://cerbos.dev</a>
Also checkout OPAL too <a href="https://docs.opal.ac/" rel="nofollow">https://docs.opal.ac/</a> which works with OPA to add a delivery layer and keep stuff in sync.<p>There's some other interesting work with spiffe/spire that I've been investingating for $WORK, could be useful to some on this path <a href="https://spiffe.io/docs/latest/microservices/envoy-opa/readme/" rel="nofollow">https://spiffe.io/docs/latest/microservices/envoy-opa/readme...</a>
If you’re using OPA or learning Rego, you might be interested in checking out Regal - the Rego linter.<p><a href="https://docs.styra.com/regal" rel="nofollow">https://docs.styra.com/regal</a><p>Disclaimer: I work on this but it’s free, & open source!
If you are looking for TLDR:<p>1. Define policies using declarative language Rego<p>2. Deploy OPA alongside your service as a sidecar in Kubernets<p>3. Make your service queries OPA when it needs to make policy decisions, passing the current state/context as input.<p>4. OPA evaluates the policies written in Rego against the input and returns a decision (allow or deny) back to your service.<p>Found it's hard to convince everyone around to use OPA/Rego and wrap into a managed service. The main objection - wrapping another DSL (domain-specific language) is hard.<p>However it was relatively simple to convince my team to use featured complete Go library Ladon <a href="https://github.com/ory/ladon">https://github.com/ory/ladon</a><p>Ladon is inspired by AWS IAM Policies.<p>{<p><pre><code> "description": "One policy to rule them all.",
"subjects": ["users:<peter|ken>", "users:maria", "groups:admins"],
"actions" : ["delete", "<create|update>"],
"effect": "allow",
"resources": [
"resources:articles:<.*>",
"resources:printer"
],
"conditions": {
"remoteIP": {
"type": "CIDRCondition",
"options": {
"cidr": "192.168.0.1/16"
}
}
}
</code></pre>
}<p>All policies are loaded on the app start, stored in memory (not DB) and checked with the help of small middleware which triggered the following function.<p>func (l *Ladon) DoPoliciesAllow(r *Request, policies []Policy) (err error)<p><a href="https://github.com/ory/ladon/blob/972387f17e29c529ad3ff42a8423117825409cd7/ladon.go#L74">https://github.com/ory/ladon/blob/972387f17e29c529ad3ff42a84...</a><p>Very negligible perfomance hit. Code is very simple, hackable, and can be subject for further optimisations.<p>Ladon is very fast. It's possible to run all user groups against all CRUD routes, and get the basic permission matrix or build some simple UI forms to test condition for better control.<p>P.s. Feel free to ping me in private @reactima (github, telegram) if you want to discuss the edge cases for the above.
For application authorization, Oso is a compelling solution. (Disclaimer: I work for Oso). It provides a DSL and a prescriptive, but flexible data model that are capable of modeling RBAC, ReBAC, ABAC, or whatever else you'd like to model. Obviously I'm biased, but I think it strikes a great balance between opinion and flexibility.<p>One significant complication that all centralized authorization solutions share is that you end up needing to reproduce application data in the authorization system. We've been doing a lot of work in this area to simplify data management and have some beta functionality available. I'll include some links to the docs for those.<p>Sync and reconcile data: <a href="https://www.osohq.com/docs/guides/data/sync-data#initial-sync" rel="nofollow">https://www.osohq.com/docs/guides/data/sync-data#initial-syn...</a>
Filter lists with decentralized data (about halfway down): <a href="https://www.osohq.com/docs/guides/enforce/filter-lists" rel="nofollow">https://www.osohq.com/docs/guides/enforce/filter-lists</a>