Skip to content
/ opa-ams Public

an OPA-compatible API for making OpenShift AMS access review requests

License

Apache-2.0 license
5 stars 4 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

observatorium/opa-ams

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

37 Commits
.circleci
.circleci
 
 
ams
ams
 
 
test
test
 
 
.errcheck_excludes
.errcheck_excludes
 
 
.gitignore
.gitignore
 
 
.golangci.yml
.golangci.yml
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
instrument.go
instrument.go
 
 
main.go
main.go
 
 
tools.go
tools.go
 
 

Repository files navigation

OPA-AMS

CircleCI Go Report Card

opa-ams provides an Open Policy Agent (OPA) -compatible API for making access review requests against the OpenShift Account Management System (AMS) API.

API

POST /v1/data/{package}/{rule}

The opa-ams HTTP server exposes a single endpoint of the OPA Data API and fullfills requests by translating them into AMS access reviews. This endpoint expects an OPA Input Document in the body of the request with the following structure:

{
    "input": {
        "groups": ["string"],
        "permission": "string",
        "resource": "string",
        "subject": "string",
        "tenant": "string"
    }
}

It returns a response with the following structure:

{
    "result": boolean
}

Usage

Usage of ./opa-ams:
      --ams.mappings strings          A list of comma-separated mappings from Observatorium tenants to AMS organization IDs, e.g. foo=bar,x=y
      --ams.mappings-path string      A path to a JSON file containing a map from Observatorium tenants to AMS organization IDs.
      --ams.url string                An AMS URL against which to authorize client requests.
      --debug.name string             A name to add as a prefix to log lines. (default "opa-ams")
      --log.format string             The log format to use. Options: 'logfmt', 'json'. (default "logfmt")
      --log.level string              The log filtering level. Options: 'error', 'warn', 'info', 'debug'. (default "info")
      --memcached strings             One or more Memcached server addresses.
      --memcached.expire int32        Time after which keys stored in Memcached should expire, given in seconds. (default 3600)
      --memcached.interval int32      The interval at which to update the Memcached DNS, given in seconds; use 0 to disable. (default 10)
      --oidc.audience string          The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.
      --oidc.client-id string         The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.
      --oidc.client-secret string     The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.
      --oidc.issuer-url string        The OIDC issuer URL, see https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery.
      --opa.package string            The name of the OPA package that opa-ams should implement, see https://www.openpolicyagent.org/docs/latest/policy-language/#packages.
      --opa.rule string               The name of the OPA rule for which opa-ams should provide a result, see https://www.openpolicyagent.org/docs/latest/policy-language/#rules. (default "allow")
      --resource-type-prefix string   A prefix to add to the resource name in AMS access review requests.
      --web.internal.listen string    The address on which the internal server listens. (default ":8081")
      --web.listen string             The address on which the public server listens. (default ":8080")

About

an OPA-compatible API for making OpenShift AMS access review requests

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

5 stars

Watchers

4 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors 7

Languages