This directory helps provide fine-grained, policy-based control over who can run which RESTful APIs.
A tutorial is available at HTTP API Authorization
- A sample web application that asks OPA for authorization before executing an API call (
docker/) - A default policy that allows
/finance/salary/<user>for<user>and for<user>'s manager (docker/policy)- There are two policies given. The first is
example.rego(and additionally,example-hr.regofrom the tutorial), which is the default policy. The second isexample-jwt.rego, which allows you to perform the same task, but by communicating information relevant to the policy via JSON Web Tokens. The tokens to use for the second policy can be found in thetokensdirectory. Files with thejwtextension are the tokens themselves, and files with thetxtextension are their respective decoded tokens for reference. - Policies are provided to OPA in the form of bundles, where a simple Nginx server acts as a bundle server in the docker compose environment.
- There are two policies given. The first is
The web application, the bundle server and OPA all run in docker-containers. For convenience, we included a docker-compose file, so you'll want docker-compose installed.
Note that if using Docker Desktop, you may instead use the docker compose command.
To build the containers and get them started, use the following make commands.
make # build the containers with docker
make up # start the containers with docker-compose
To instead use the example with JSON Web Tokens, use the following make commands.
make # build the containers with docker
make up-token # start the containers with docker-compose