Skip to content

mshoaibiqbal/opa-python-sidecar

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
app
app
 
 
policies
policies
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
docker-compose.yml
docker-compose.yml
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

OPA Python Sidecar Example

A demonstration of using Open Policy Agent (OPA) as a sidecar with a Python Flask application for policy-driven authorization.

Project Structure

opa-python-sidecar/
├── app/
│   ├── __init__.py
│   ├── app.py              # Flask application
│   └── opa_client.py       # OPA client
├── policies/
│   ├── authz.rego          # Authorization policies
│   └── authz_test.rego     # Policy tests
├── tests/
│   └── integration/
├── docker-compose.yml
├── Dockerfile
├── requirements.txt
└── README.md

Prerequisites (macOS)

  1. Install Homebrew (if not already installed):

    /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

  2. Install Docker Desktop:

    brew install --cask docker

  3. Start Docker Desktop:

    • Open Docker from your Applications folder
    • Wait for Docker to fully start (whale icon in menu bar stops animating)

  4. Verify installation:

    docker --version
docker compose version

Quick Start

Run with Docker Compose

docker compose up --build

This starts:

  • OPA server on port 8181
  • Flask app on port 5001

Test the API

Admin access (full access):

curl -X GET http://127.0.0.1:5001/api/resources/resource_1 \
  -H "X-User-ID: admin_1" \
  -H "X-User-Role: admin"

User accessing own resource (allowed):

curl -X GET http://127.0.0.1:5001/api/resources/resource_1 \
  -H "X-User-ID: user_123" \
  -H "X-User-Role: user"

User accessing another user's resource (denied):

curl -X GET http://127.0.0.1:5001/api/resources/resource_2 \
  -H "X-User-ID: user_123" \
  -H "X-User-Role: user"

Manager accessing department resource (allowed):

curl -X GET http://127.0.0.1:5001/api/resources/resource_1 \
  -H "X-User-ID: mgr_1" \
  -H "X-User-Role: manager" \
  -H "X-User-Department: engineering"

Health check:

curl http://127.0.0.1:5001/health

Run OPA Policy Tests

docker run --rm -v $(pwd)/policies:/policies openpolicyagent/opa:latest test /policies -v

Policy Rules

The authorization policy (policies/authz.rego) implements:

  1. Default deny - All requests are denied by default
  2. Admin access - Admins can perform any action
  3. Owner access - Users can read/update their own resources
  4. Department access - Managers can read resources in their department

Mock Data

The application uses mock data for demonstration:

Resource ID Owner Department
resource_1 user_123 engineering
resource_2 user_456 sales
resource_3 user_123 engineering

API Endpoints

Method Endpoint Description
GET /api/resources/{id} Get a resource
PUT /api/resources/{id} Update a resource
DELETE /api/resources/{id} Delete a resource
GET /health Health check

Local Development

  1. Install dependencies:

    pip install -r requirements.txt

  2. Start OPA separately:

    docker run -p 8181:8181 -v $(pwd)/policies:/policies openpolicyagent/opa:latest run --server /policies

  3. Run the Flask app:

    cd app && python app.py

About

OPA Python Sidecar

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages