Skip to content

Latest commit

 

History

History
 
 

api_authz

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 

HTTP API Authorization with OPA

This directory helps provide fine-grained, policy-based control over who can run which RESTful APIs.

A tutorial is available at HTTP API Authorization

Contents

  • A sample web application that asks OPA for authorization before executing an API call (docker/)
  • A default policy that allows /finance/salary/<user> for <user> and for <user>'s manager (docker/policy)
    • There are two policies given. The first is example.rego (and additionally, example-hr.rego from the tutorial), which is the default policy. The second is example-jwt.rego, which allows you to perform the same task, but by communicating information relevant to the policy via JSON Web Tokens. The tokens to use for the second policy can be found in the tokens directory. Files with the jwt extension are the tokens themselves, and files with the txt extension are their respective decoded tokens for reference.
    • Policies are provided to OPA in the form of bundles, where a simple Nginx server acts as a bundle server in the docker compose environment.

Setup

The web application, the bundle server and OPA all run in docker-containers. For convenience, we included a docker-compose file, so you'll want docker-compose installed.

Note that if using Docker Desktop, you may instead use the docker compose command.

To build the containers and get them started, use the following make commands.

make       # build the containers with docker
make up    # start the containers with docker-compose

To instead use the example with JSON Web Tokens, use the following make commands.

make             # build the containers with docker
make up-token    # start the containers with docker-compose