How to Leverage Open Policy Agent to Simplify Cloud Native App Authorization

Jared Elder June 9, 2021

As more and more organizations move to the cloud, they are adopting microservice architectures and containerization to build, deploy and manage their applications. These architectural variations provide numerous advantages including faster deployments, greater scalability and flexibility, and cost-effectiveness. But they also create challenges for development and security teams.

Microservice-based applications are more distributed and dynamic. Each application may have dozens or hundreds of microservices which communicate with each other, and lead to numerous OS-level processes and APIs. Developers may need access to all these microservices to troubleshoot issues. However, they should not be able to make API calls to the database that may cause problems to the end user (say, a customer). Equally important, they should not be able to read customers’ PII or financial data.

To manage such concerns, there must be an authorization control on top of each microservice that checks whether an authorized user has the necessary privileges to perform a particular operation. Ideally, it should be robust and allow for centralized management.

Here’s where many organizations are turning to Open Policy Agent (OPA).

OPA (pronounced oh-pa) provides a unified framework for authorization and policy enforcement across the entire cloud-native environment.

What is Open Policy Agent (OPA)?

OPA is an open-source, general-purpose, domain-agnostic policy engine for building, testing, enforcing and debugging authorization policies. It provides simple APIs to “decouple” policy enforcement from policy decision-making.

OPA’s high-level declarative language, Rego (pronounced ray-go), allows teams to specify “policy as code” so they can define policies to address issues like: Which records is Steve allowed to view? With this approach, policies are “codified” to simplify enforcement and management. It also enables the org to detect policy violations and remediate them across their cloud-native stack.

OPA can be used to enforce policies in microservices, API gateways, CICD pipelines, etc.

A number of popular apps and tools use OPA, including:

  •   Collaboration: Chef Automate, Atlassian Suite
  •   OTP Streaming: Netflix
  •   Social Media: Pinterest, Yelp
  •   Web infrastructure and website security: Cloudflare

How OPA Authorization Works

When the application needs to make policy decisions, it provides input in the form of arbitrary structured data, e.g. JSON, and queries OPA. OPA evaluates the query, compares it against policies, and generates policy decisions. These decisions are not limited to yes/no or allow/deny, but can also generate arbitrary structured or complex data as output: a number, string, True or False JSON object, etc.

Since OPA and Rego are both domain-agnostic, teams have the flexibility to describe numerous invariants in their policies to control things like:

  •   Which users can access which resources, at what times, and what they can do within an application
  •   Which OS capabilities a container can execute with
  •   Clusters a workload must be deployed to

OPA can be easily integrated with APIs, Linux PAM, Kubernetes, Kafka, ElasticSearch, SQLite, CEPH, etc.

OPA Deployment Options

OPA can be deployed as a:

  •   Go library: As a third-party library if the application is written in Golang
  •   Daemon: If OPA is deployed like any other service, the best way to ensure high performance and availability is to use a sidecar container or run it on the host level.

OPA APIs for Management and Control

Different APIs with different purposes support policy management and control in OPA:

  •   Status service: Communicates the current policy version active on OPA
  •   Bundle service: Sends policy data to OPA and helps with the application of new versions
  •   Decision log service: Maintains a log of policy decisions for later audit and/or troubleshooting

Get Survey Report

Why Use OPA for Cloud-native App Authorization

In today’s cloud-native microservice-based application environments, multiple dev teams work independently on individual components. This improves efficiency, speed up development, and positively impact the quality and timeliness of the final delivery.

But this distributed arrangement also makes it difficult to maintain and enforce authorization policies for different services. Often, as the number of teams increases, it results in more and more hardcoded implementations in different languages, and with different enforcement guarantees and ways to track unauthorized access attempts.

OPA provides an effective solution to all these issues. OPA’s single language, GUI and architecture enable teams to:

  •   Write policies
  •   Distribute them to the services that need them
  •   Enforce them
  •   Control access
  •   Log decisions

With OPA’s pre-built authorization technology, dev teams don’t have to build policies from scratch. Moreover, policies need to be written only once, even if they are to be enforced in multiple places. The enforcement is also consistent across all services. A rich toolset enables developers to easily integrate these policies into their applications. All these advantages accelerate application time-to-market.

But OPA has broader implications that go beyond development and IT. Since it decouples governing policies and authorization decisions from the application and its business logic, it enables security and compliance teams to review policies separately from implementation. Moreover, these policies can be updated dynamically. Also, all decisions are logged consistently, which enables easier SIEM analysis. If there are any unauthorized access attempts, there’s no need to check multiple tools to trace them, or to pull information from various systems to prepare compliance reports.

Furthermore, OPA’s consistent policy framework enables dev, security, operations and compliance teams to collaborate better and speak the same “language” in order to simplify policy implementation and control across the entire stack.

Conclusion

OPA is increasingly considered the “de facto” standard for implementing and establishing authorization policies in cloud-native environments and applications. And with good reason! OPA makes it easy for companies to write policies that their dev teams can easily understand. These policies are also easy to translate across multiple applications and components, so they no longer have to have to manage different authorization models, APIs and GUIs.

Overall, OPA provides all the capabilities and tools organizations need to easily create and enforce their authorization policies, simplify access control, and save coding time and effort. Over time, OPA helps increase development security, eases compliance, and speeds up time-to-market.

 

Subscribe to build.security’s newsletter

Keep up with the latest news on our authorization policy management platform