OPA for policy enforcement

Slide 1

Slide 1 text

OPA for policy OPA for policy enforcement enforcement Sibi Prabakaran April 29, 2020

Slide 2

Slide 2 text

Agenda Agenda Overview of OPA Rego Usecases/Integra ons Example integra on of OPA + Python web service

Slide 3

Slide 3 text

OPA OPA Project started in a company named Styra at 2016 Currently an incubator project at Linux founda on (CNCF) Goal: Unify policy enforcement

Slide 4

Slide 4 text

Overview Overview

Slide 5

Slide 5 text

Rego Rego Language for wri ng policy Expresssions, Variables, Rules Itera on Tooling

Slide 6

Slide 6 text

Expressions Expressions > input.servers[0].protocols[0] "https" > input.servers[0].protocols[0] undefined decision input.servers[0].id == "app" input.servers[0].protocols[0] == "https"

Slide 7

Slide 7 text

Rego Variables Rego Variables hello := "world"

Slide 8

Slide 8 text

Iteration Iteration networks = [{ "id": "net1", "public": false}, { "id": "net2", "public": false}] > networks[x] +---+------------------------------+ | x | networks[x] | +---+------------------------------+ | 0 | {"id":"net1","public":false} | | 1 | {"id":"net2","public":false} | +---+------------------------------+

Slide 9

Slide 9 text

Rules Rules any_public_networks = true { # is true if... net := networks[_] # some network exists and.. net.public # it is public. }

Slide 10

Slide 10 text

API Integration API Integration Python code Rego code

Slide 11

Slide 11 text

Experience Experience Policies Error messages aren’t nice Community Tooling

Slide 12

Slide 12 text

OPA OPA Integrations Integrations

Slide 13

Slide 13 text

Comparision Comparision with Sentinel with Sentinel Open Source Applicable more generally Language diﬀerences

Slide 14

Slide 14 text

Other Stu Other Stu WASM Support Editor integra ons h ps:/ /play.openpolicyagent.org/