Open Policy Agent (OPA)

In traditional systems, policies had to be tightly coupled and hardcoded. Conventionally, both the policy definition and the policy enforcement were embedded into the application logic. Policies had to be defined individually for every single platform and application using different policy languages, policy models, and policy APIs. So, policy-based access management was a hectic procedure for developers as well as for administrators when organizations moved into distributed applications, microservices, Kubernetes, and cloud-native technologies.

As a solution, Open Policy Agent (OPA) was introduced  as a general purpose policy engine that can be used in applications and centrally managed.

This article goes through the ‘ABC’s in Open Policy Agent and basics in integrating OPA with Cloud Native Technologies.

What is Open Policy Agent (OPA)?

In 2016, Open Policy Agent was introduced as a unified framework and toolset dedicated to policy management across an application stack. In 2018, they handed over OPA to Cloud Native Computing Foundation (CNCF) to develop into the policy engine that we see today with the capability of unifying policy across applications in both the traditional environment and the cloud-native technology stack.

Simply put, Open Policy Agent (we call as “Oh-PA”) is a general-purpose, domain-agnostic policy engine for offloading policy enforcement from policy decision making.

What is a Policy Engine?

A policy engine is a software component that allows clients using a service (users or other systems) to query policies for decisions. A policy engine can be used to create, monitor, and apply policies to constrain access to data and network resources within a system.

A policy engine makes authorization decisions based on the policies loaded and as well as on the data (fetched on the fly from a query or loaded before the query) from external sources like user management systems and permission databases.

Policy Engine Schema

Features of OPA

General-purpose and domain agnostic policy engine

OPA can be used to manage policies and rules in heterogeneous systems deployed in multiple platforms, in multiple languages, on the cloud, and in on-premise infrastructure, against arbitrary structured data like JSON and YAML.

So, there is a wide range of domains and use cases OPA can apply, such as application authorization, Kubernetes admission control, infrastructure policies, and so on tackling the problem of policy enforcement at large. You can deploy OPA as a daemon, object store, or embed as a library along with any service in your technology stack.

Decouples policy from application logic

Even though the business logic may differ from application to application, policies may often be shared between systems. OPA extracts policy out of the applications to a central location, allowing centralized policy management and governance. So, engineers are not required to rewrite and redeploy applications every time a new policy adds or an existing policy update.

Open-source and cloud-native policy engine

OPA is an open-source, graduated project within CNCF released under liberal Apache 2 license. So, users can not only freely access OPA code but can also customize code to their unique system and platform requirements.

As OPA is a cloud-native service, organizations can integrate OPA with cloud-native technologies such as Kubernetes, Docker, and into cloud platforms such as Google Cloud, AWS, Azure, etc.

Uses a high-level declarative policy language

OPA uses a purpose-built high-level declarative language called Rego to express policies. Rego has advanced policy expression features such as supportability to JSON web tokens, time, networking, cryptography, and so on. As Rego is a more readable high-level language than many programming languages, stakeholders can better understand policies and can actively collaborate in policy creation and reviews.

How does OPA work?

Suppose you are running OPA alongside a service. At a high level, the process up to the policy inquiry can break down into three major steps.

  1. Deploying OPA

    • Deploy as a daemon – OPA can deploy just like another separate process or a sidecar container on the same host as your service. This deployment architecture supports high performance, lower querying latency, and high availability of your service. For more information on how to deploy OPA as a daemon, visit here.

    • Deploy as a library – OPA can also deploy as a third-party (Go) library for Go applications where policies have embedded into your service. OPA, when integrated as a library, can compile policies to WebAssembly instructions. Learn here how you can integrate OPA with Go API.

  2. Pushing data about the state of your service into the data store of OPA

    OPA uses facts on the state of the service and the outside world to make decisions. So, data must be provided to OPA that will store in its document store in the JSON format. If data is changing over time, OPA caches the data of the latest state in its memory. For example, you would have to load an Access Control List (ACL) along with the list of permissions as data and policy (respectively) to the OPA for managing access control for a system.

  3. Policy querying, policy decision making, and offloading query output

    A query input in the JSON format to OPA triggers a policy decision-making. The parameters in the query input specify the decision in question. For example, if you parse a GET request to OPA with the question “Is Anne allowed to access record in the path protected/ record_1”, OPA extracts JSON parameters GET, Anne, and protected/ record_1 to compute the policy decision.

    When data, policy, and input query are all fed in, OPA offloads a query output in JSON format or true / false value to your service to perform the respective business logic based on the query output. OPA doesn’t just respond in a boolean format, but rather, any JSON object the policy author wishes to respond with.

The OPA policy decision model works as follows.

OPA Decision Model

Where to use OPA?

As mentioned before, OPA can integrate with many technologies for a wide range of use cases. Here we will look into some major and popular use cases.

  1. Application Authorization

    In the application authorization scope, OPA is highly used in service-level authorization, end-user authorization, and policy-suite authorization.

    A good-old example for service-level authorization is the OPA use case for Netflix. Netflix needed to allow its developers to control service-level authorization for their own apps to promote high availability and scalability across Netflix services. The decoupled policy framework of OPA could not only address the fundamental service-level authorization requirements among a heterogeneous pool of services but also was successful to update and federate policies in real-time across the Netflix environment. OPA as a service-level authorization framework can also successfully block attackers who are laterally traversing compromising services.

    OPA is widely using in end-user authorization from simple authorization models like RBAC to more complex models like ABAC. Whichever models developers use, they can continuously re-use OPA policies if a system’s end-user authorization model grows out or new systems add up.

    The third authorization model that you can integrate with OPA is the product-suite authorization model. If an organization needs to unify authorization across a suite of different products, OPA can fulfill the requirement with zero hassle. OPA is an ideal policy engine to deploy alongside your newly hosted cloud-native systems if you had to drop off the on-premises authorization systems when moving to the cloud. OPA can smooth out the overall user experience in authorization in a product suite.

  2. Service Mesh Authorization

    OPA can regulate authorization requests in a service mesh architecture. When you integrate OPA into a service mesh, you can directly and easily add, remove, and update authorization policies, as applicable to every service in the mesh. As in the end-user authorization with OPA, OPA limits lateral movement across the microservice architecture, helping organizations to enforce compliance regulations simultaneously.

  3. Kubernetes Admission Control

    Kubernetes comes with a basic set of admission control policies. OPA can help you with upgrading the built-in Kubernetes admission controls to inject pods with sidecar containers, add annotations to your resources, ensure the ingress hostnames cannot change unless from the front end team, point container images at corporate image registries, and so on. You should deploy OPA as a mutating admission controller to access the extended admission control functionalities.

  4. API Authorization

    Use OPA integrating with Istio, Envoy, and similar platforms to enforce identity and access management controls.

  5. Pluggable Authentication Modules (PAM) Plugin

    Linux PAM provides fine-grained controls to associated services such as SSH and Sudo. OPA has a PAM plugin that can integrate with Linux PAM and enforce policies. So, you can enforce policies restricting SSH and Sudo access if you use OPA.

For more OPA use cases and related projects visit here.

Get Start using OPA

By now, you may be pretty clear about what OPA is, how it works, and what problems it solves. It is now the time to get started using OPA in real applications. However, we thought, rather than giving a “hello world” example, it would be more beneficial for you if we direct you to comprehensive OPA and Rego learning resources.

There are many free resources to get started using OPA and Rego.

Final Words

The Gartner report, Market Guide for Compliance Automation Tools in DevOps identifies Open Policy Agent as a future proof tool that can immensely contribute to protecting cloud and container-based infrastructure in agile infrastructure environments. “The OPA open-source initiative has started to emerge as a source for an ecosystem of startups building enterprise capabilities over OPA.”, Gartner foresees, and we cannot be more agreeable having worked with OPA.

Ready to get started?

Subscribe to build.security’s newsletter

Keep up with the latest news on our authorization policy management platform