Instead of using OPA embedded bundle to update policy, you can use this plugin to integrate amqp server and opa.
This plugin will consume amqp queue after the opa start.
So assume the amqp publisher publish the new policy then the consumer of opa-amqp-plugin will consume this message and send request to update opa policy.
- build opa-amqp-plugin:
make build-opa - reference config:
plugins:
amqp_policy_consumer:
amqpUrl: amqp://localhost:5672
exchangeName: test-exchange
routerKey: test-key
queueName: test-queueWhen running opa-amqp-plugin, we need provide above config file.
This config should provide amqpUrl, exchangeName, routerKey, queueName, so it can start amqp consumer successfully.
- run opa-amqp-plugin:
./build/bin/opa-amqp run --server --config-file config.yaml - build amqp-publisher:
make build-publisher - run amqp-publisher:
./build/bin/amqp-publisher
After running amqp-publisher, it will publish this rego policy:
package policy
default allow = false
allow {
some id
input.method = "GET"
input.path = ["salary", id]
input.subject.user = id
}
allow {
is_admin
}
is_admin {
input.subject.groups[_] = "admin"
}- use curl commend to check policy if it updeted.:
curl localhost:8181/v1/data/policy/allow -d @input.json -H 'Content-Type: application/json'
this input.json file content is:
{
"input": {
"method": "GET",
"path": ["salary", "bob"],
"subject": {
"user": "bob"
}
}
}or
{
"input": {
"subject": {
"user": "bob",
"groups": ["sales", "admin"]
}
}
}These responses will show result: {"result":true}
For more details about config file and input.json file should see example