Enforce Open Policy Agent (OPA) policies for more fine-grained access control.

About OPA

OPA is an open source, general-purpose policy engine that you can use to enforce versatile policies in a uniform way across your organization. Compared to a role-based access control (RBAC) authorization system, OPA allows you to create more fine-grained policies. For more information, see the OPA docs.

OPA policies are written in Rego. Based on the older query languages Prolog and Datalog, Rego extends support to more modern document models such as JSON.

Gloo Platform's OPA integration populates an input document to use in your OPA policies. The structure of the input document depends on the context of the incoming request, described in the following table. For more information about input documents, see the OPA docs.

OPA input structure Description
input.check_request By default, all OPA policies contain an Envoy Auth Service CheckRequest. This object has all the information that Envoy gathers about the request being processed. You can view the structure of this object in the attributes section of the linked Envoy doc.
input.http_request When processing an HTTP request, Envoy populates this field for convenience. For the structure of this object, see the Envoy HttpRequest docs and proto files.
input.state.jwt If you use OAuth, the token retrieved during the OIDC flow is placed into this field.

OPA with other types of external auth

The OPA external auth module can be combined with other external auth modules, such as API keys, to perform additional validation checks on incoming requests. To find an example of how to use API keys and OPA together, see API key and OPA.

The following video shows an example of using OAuth and OPA.

OPA implementation options

Gloo Platform's external auth service supports three main ways to implement OPA. You can also use a mix of implementations in the same cluster. Just be sure to create separate external auth policies for each implementation.

OPA-Envoy plugin API

The OPA sidecar for the Gloo Platform external auth server includes the OPA-Envoy plugin API. This way, you can use OPA to evaluate requests with metadata from Envoy, such as the request and response headers, body, status code, and other metadata. For more information, see the OPA docs.

Monitor your OPA environment in Grafana

Import a pre-built Grafana dashboard to visualize the metrics that the Open Policy Agent records. These metrics include information on the OPA engine performance, such as CPU and memory stats, response times, and bundle status. This feature is available for OPA version 0.58.0 or later.

To set up the dashboard, see Import the OPA dashboard.