Skip to content

open-policy-agent/opa

main
Switch branches/tags
Code

Latest commit

Previously missing plugging could cause unsafe variables in the
PE output.

Now, all terms in the 'every' body should be plugged properly.
The approach taken here is to plug them all, and then fix the
key and val var names of the copied every expression. Those vars
are fresh after the compiler is done with the expression, so
plugging them should never have any effect outside of the rename.

Signed-off-by: Stephan Renatus <stephan.renatus@gmail.com>
c0c902c

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
Aug 14, 2019
Dec 28, 2015

logo Open Policy Agent

Slack Status Build Status Go Report Card CII Best Practices Netlify Status

Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

OPA is proud to be a graduated project in the Cloud Native Computing Foundation (CNCF) landscape. For details read the CNCF announcement.

Want to connect with the community or get support for OPA?

  • Join the OPA Slack for day-to-day conversations with the OPA community.
  • Need Support? Go to the Discussions Board to ask questions.

Want to learn more about OPA?

  • Go to openpolicyagent.org to get started with documentation and tutorials.
  • Browse blog.openpolicyagent.org for news about OPA, community, policy and authorization.
  • Try OPA with the Rego Playground to experiment with policies and share your work.
  • View the OPA Roadmap to see a high-level snapshot of OPA features in-progress and planned.
  • Check out the ADOPTERS.md file for a list of production adopters. Does your organization use OPA in production? Support the OPA project by submitting a PR to add your organization to the list with a short description of your OPA use cases!

Want to get OPA?

Want to integrate OPA?

  • See GoDoc to integrate OPA with services written in Go.
  • See REST API to integrate OPA with services written in other languages.

Want to contribute to OPA?

How does OPA work?

OPA gives you a high-level declarative language to author and enforce policies across your stack.

With OPA, you define rules that govern how your system should behave. These rules exist to answer questions like:

  • Can user X call operation Y on resource Z?
  • What clusters should workload W be deployed to?
  • What tags must be set on resource R before it's created?

You integrate services with OPA so that these kinds of policy decisions do not have to be hardcoded in your service. Services integrate with OPA by executing queries when policy decisions are needed.

When you query OPA for a policy decision, OPA evaluates the rules and data (which you give it) to produce an answer. The policy decision is sent back as the result of the query.

For example, in a simple API authorization use case:

  • You write rules that allow (or deny) access to your service APIs.
  • Your service queries OPA when it receives API requests.
  • OPA returns allow (or deny) decisions to your service.
  • Your service enforces the decisions by accepting or rejecting requests accordingly.

For concrete examples of how to integrate OPA with systems like Kubernetes, Terraform, Docker, SSH, and more, see openpolicyagent.org.

Presentations

  • Open Policy Agent Intro @ KubeCon EU 2021: Video
  • Using Open Policy Agent to Meet Evolving Policy Requirements @ KubeCon NA 2020: video
  • Applying Policy Throughout The Application Lifecycle with Open Policy Agent @ CloudNativeCon 2019: video
  • Open Policy Agent Introduction @ CloudNativeCon EU 2018: video, slides
  • Rego Deep Dive @ CloudNativeCon EU 2018: video, slides
  • How Netflix Is Solving Authorization Across Their Cloud @ CloudNativeCon US 2017: video, slides.
  • Policy-based Resource Placement in Kubernetes Federation @ LinuxCon Beijing 2017: slides, screencast
  • Enforcing Bespoke Policies In Kubernetes @ KubeCon US 2017: video, slides
  • Istio's Mixer: Policy Enforcement with Custom Adapters @ CloudNativeCon US 2017: video, slides

Security Audit

A third party security audit was performed by Cure53, you can see the full report here

Reporting Security Vulnerabilities

Please report vulnerabilities by email to open-policy-agent-security. We will send a confirmation message to acknowledge that we have received the report and then we will send additional messages to follow up once the issue has been investigated.