Open Policy Agent (OPA) is an open source, general-purpose policy engine that provides a high-level declarative language that lets you specify policy as code. OPA also offers simple APIs to offload policy decision-making from your software.
This document describes a simplified version of the configuring OPA in TSB, to accompany sections where it is used as the external authorization (
ext-authz) service. In your actual application there may be differences that require tweaking.
Tetrate does not offer support for OPA. Please look elsewhere if you need support for your use case.
For more detailed explanation of the configurations described below, please refer to the official documentation.
Preparing a Policy
OPA requires a policy file written using OPA's policy language to decide if requests should be authorized. Since the actual policy will differ significantly from example to example, details on how to write this file will not be covered in this document. Please refer to the documents in OPA website for details.
One thing to note is the package name specified in the policy file. If you have a policy file that has the following package declaration, you will be using the value
helloworld.authz in the container configuration later.