SlideShare a Scribd company logo

Opa microservice authorization

Download as PPTX, PDF
A
Anders Eknert

Open Policy Agent (OPA) is a general purpose policy engine that decouples authorization policies from application logic. It provides a unified way to handle policies across stacks independently of other technology choices. Rego is OPA's policy language, inspired by Datalog, which extends it to support structured documents like JSON. Policies in Rego are assertions on data stored in OPA. The demo shows OPA running as a sidecar in three deployments simulating a multi-tier architecture where each tier authorizes requests before passing to the next based on data like JWTs.

Technology
1 of 18
Downloaded 11 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
Anders Eknert, Developer Advocate, Bisnode Decoupled policy management and enforcement at scale Microservice authorization with Open Policy Agent
Open Policy Agent (OPA) • General purpose policy engine. • Decouples (most commonly, authorization) policies from application logic. • Provides a unified way of dealing with policies across the stack, independent to othertechnology choices made. • Use cases ranging from kubernetes admission control, microservice authorization and data sources, to CI/CD pipeline policies. • Vibrant Open Source community. • Commercial backer(Styra).
Running OPA – “the distributed parts” OPA canrunina numberofconfigurations,dependingonusecase • Standaloneserver • Sidecarcontainerinside pods • Go library • WASM
https://www.openpolicyagent.org/docs/latest/policy- language/ “Rego was inspired by Datalog, which is awell understood, decades oldquery language. Rego extends Datalog to support structured document models such asJSON. Rego queries are assertions on data stored in OPA. These queries canbe used to define policies that enumerate instancesof data that violate the expected state of the system.” Rego policy language
The Rego playground - try it out! https://play.openpolicyagent.org/ https://play.openpolicyagent.org
Data Inordertomake informeddecisions,OPAneedsdata. Thereare manyway ofprovidingOPA withthis. • Input (along with the request),including JWTs • Push data into OPA • Bundleserver(pull) • http.send function
Policy management – “the centralized parts” OPA delegatesmanagementresponsibilitiesusingseveralmanagement APIs • The bundleAPI • The decision log API • Status and healthAPI
Demo OPA server and simple policy authoring
Use cases and integrations
Conftest Writetests onanystructureddata
Validating admission controller webhook
Mutating admission controller webhook
Integration with databases, and much more! https://www.openpolicyagent.org/docs/latest/ecosyst em
Microservice authorization
Running OPA as a sidecar
Demo OPA runningas sidecarinthreedeployments,simulatingann-tieredarchitecture,where thefirstcallcomesin totheAPItier,whichauthorizestherequest(datafromJWT) beforepassingit(includingtheJWT)forwardto theorchestrationtier,whichdoesthesame thing,beforepassingitforwardtotheservicetier. Each service/tier is responsible for authorizingthe request, given any unique requirements it may have.
Demo
Finally Thanks!

More Related Content

PPTX
Securing APIs with Open Policy Agent
Anders Eknert
 
PDF
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
PDF
Open Policy Agent
Torin Sandall
 
PDF
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
PPTX
OPA APIs and Use Case Survey
Torin Sandall
 
PPTX
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
PPTX
GraphQL Security
Shiu-Fun Poon
 
PDF
Traffic Analytics for Linked Data Publishers
Luca Costabello
 
Securing APIs with Open Policy Agent
Anders Eknert
 
DSO-LG 2021 Reboot: Policy As Code (Anders Eknert)
Michael Man
 
Open Policy Agent
Torin Sandall
 
Dynamic Authorization & Policy Control for Docker Environments
Torin Sandall
 
OPA APIs and Use Case Survey
Torin Sandall
 
OAuth2 Authorization Server Under the Hood
Lohika_Odessa_TechTalks
 
GraphQL Security
Shiu-Fun Poon
 
Traffic Analytics for Linked Data Publishers
Luca Costabello
 

What's hot (20)

PPTX
Fire kit ios (r-baldwin)
DevDays
 
PPTX
Furore devdays2017 tdd-2-advanced
DevDays
 
PPTX
Vonk fhir facade (christiaan)
DevDays
 
PPTX
Log analysis using elk
Rushika Shah
 
PPTX
Profiling with clin fhir
DevDays
 
PDF
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
Paris Open Source Summit
 
PPTX
Jumpstart: MongoDB BI Connector & Tableau
MongoDB
 
PDF
Elk - An introduction
Hossein Shemshadi
 
PDF
New Product Introductions - Minesoft
Dr. Haxel Consult
 
PPTX
FHIR Server internals - sqlonfhir
Brian Postlethwaite
 
PDF
What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...
Edureka!
 
PDF
WSO2 Data Services Server - Product Overview
WSO2
 
PPTX
Kantara OTTO slides
Mike Schwartz
 
PPTX
Fhir dev days 2017 fhir profiling - overview and introduction v07
DevDays
 
PPTX
API
Masters Academy
 
PDF
Lighting a Beacon: training for (future) implementers
CINECAProject
 
PPTX
Gateways 2020 Tutorial - Instrument Data Distribution with Globus
Globus
 
PPTX
Gateways 2020 Tutorial - Automated Data Ingest and Search with Globus
Globus
 
PDF
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
PPTX
Demystifying messaging communication patterns
Radu Vunvulea
 
Fire kit ios (r-baldwin)
DevDays
 
Furore devdays2017 tdd-2-advanced
DevDays
 
Vonk fhir facade (christiaan)
DevDays
 
Log analysis using elk
Rushika Shah
 
Profiling with clin fhir
DevDays
 
#OSSPARIS19 - How to improve database observability - CHARLES JUDITH, Criteo
Paris Open Source Summit
 
Jumpstart: MongoDB BI Connector & Tableau
MongoDB
 
Elk - An introduction
Hossein Shemshadi
 
New Product Introductions - Minesoft
Dr. Haxel Consult
 
FHIR Server internals - sqlonfhir
Brian Postlethwaite
 
What Is ELK Stack | ELK Tutorial For Beginners | Elasticsearch Kibana | ELK S...
Edureka!
 
WSO2 Data Services Server - Product Overview
WSO2
 
Kantara OTTO slides
Mike Schwartz
 
Fhir dev days 2017 fhir profiling - overview and introduction v07
DevDays
 
API
Masters Academy
 
Lighting a Beacon: training for (future) implementers
CINECAProject
 
Gateways 2020 Tutorial - Instrument Data Distribution with Globus
Globus
 
Gateways 2020 Tutorial - Automated Data Ingest and Search with Globus
Globus
 
Countering Threats with the Elastic Stack at CERDEC/ARL
Elasticsearch
 
Demystifying messaging communication patterns
Radu Vunvulea
 
Ad

Similar to Opa microservice authorization (20)

PPTX
Securing APIs with Open Policy Agent
Nordic APIs
 
PPTX
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
PDF
Cisco Connect Halifax 2018 Application insight and zero trust policies with...
Cisco Canada
 
PPTX
Data Domain-Driven Design
Kiran Kumar Chittoori
 
PDF
Advanced Automated Analytics Using OSS Tools, GA Tech FDA Conference 2016
Grid Protection Alliance
 
PDF
Design patterns
ACCESS Health Digital
 
PPT
Building Cyber-infrastructure at UNC-CH
Gary Wilhelm
 
PPT
A Framework for Geospatial Web Services for Public Health by Dr. Leslie Lenert
Wansoo Im
 
PDF
Crossing the Analytics Chasm and Getting the Models You Developed Deployed
Robert Grossman
 
PPT
Moore RDAP11 Policy-based Data Management
ASIS&T
 
PDF
Big Data Technologies.pdf
RAHULRAHU8
 
PDF
Hoffman and Rajan "Metadata: The Importance of Interoperability, and Factors ...
National Information Standards Organization (NISO)
 
PDF
WSO2 Machine Learner - Product Overview
WSO2
 
PDF
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
PDF
BD_Architecture and Charateristics.pptx.pdf
eramfatima43
 
PPTX
Bring N-Tier Apps to containers 2015 ContainerCon
Chris Haddad
 
PPTX
Avoiding the 927 Problem: Standards, Digital Preservation, and Communities of...
Artefactual Systems - Archivematica
 
PPTX
Hughes RDAP11 Data Publication Repositories
ASIS&T
 
PDF
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
 
PDF
Maven and google pharma r&d (1)
Matt Barnes
 
Securing APIs with Open Policy Agent
Nordic APIs
 
Cloud native policy enforcement with Open Policy Agent
LibbySchulze
 
Cisco Connect Halifax 2018 Application insight and zero trust policies with...
Cisco Canada
 
Data Domain-Driven Design
Kiran Kumar Chittoori
 
Advanced Automated Analytics Using OSS Tools, GA Tech FDA Conference 2016
Grid Protection Alliance
 
Design patterns
ACCESS Health Digital
 
Building Cyber-infrastructure at UNC-CH
Gary Wilhelm
 
A Framework for Geospatial Web Services for Public Health by Dr. Leslie Lenert
Wansoo Im
 
Crossing the Analytics Chasm and Getting the Models You Developed Deployed
Robert Grossman
 
Moore RDAP11 Policy-based Data Management
ASIS&T
 
Big Data Technologies.pdf
RAHULRAHU8
 
Hoffman and Rajan "Metadata: The Importance of Interoperability, and Factors ...
National Information Standards Organization (NISO)
 
WSO2 Machine Learner - Product Overview
WSO2
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Databricks
 
BD_Architecture and Charateristics.pptx.pdf
eramfatima43
 
Bring N-Tier Apps to containers 2015 ContainerCon
Chris Haddad
 
Avoiding the 927 Problem: Standards, Digital Preservation, and Communities of...
Artefactual Systems - Archivematica
 
Hughes RDAP11 Data Publication Repositories
ASIS&T
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
 
Maven and google pharma r&d (1)
Matt Barnes
 
Ad

Recently uploaded (20)

PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Video forgery: An extensive analysis of inter-and intra-frame manipulation al...
IAESIJAI
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
gpt5_lecture_notes_comprehensive_20250812015547.pdf
Chinchu40
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 

Opa microservice authorization

Editor's Notes

  • #3: General purpose policy engine. Decouples (most commonly, authorization) policies from application logic. Provides a unified way of dealing with policies across the stack, independent to other technology choices made. Use cases ranging from kubernetes admission control, microservice authorization and data sources, to CI/CD pipeline policies. Vibrant Open Source Project with a commercial backer (Styra).
  • #7: VS ”old school” model where data is retrieved from permissions store