openpolicyagent
Policy-based control for cloud native environments
Created:
Home Page: Open Policy
Agent Policy-based control for cloud native environments.
Flexible, fine-grained control for administrators across the stack
> use OPA to decouple policy from the service’s code so you can
release, analyze, and review policies (which security and compliance
teams love) without sacrificing availability or performance. > Stop
using a different policy language, policy model, and policy API for
every product and service you use. Use OPA for a unified toolset and
framework for policy across the cloud native stack.
Declarative policy (sample code):
Policy:
package application.authz
import future.keywords
# Only owner can update the pet's information
# Ownership information is provided as part of OPA's input
default allow := false
allow if {
input.method == "PUT"
some petid
input.path = ["pets", petid]
input.user == input.owner
}
Input:
{
"method": "PUT",
"owner": "bob@hooli.com",
"path": [
"pets",
"pet113-987"
],
"user": "alice@hooli.com"
}
Output:
{
"allow": false
}
Rego is the playground to write and evalute policies against input.
See also: