OPA (Open Policy Agent) PDP PoC

Owned by Wayne Dunican
Last updated: Jan 09, 2024
2 min read



OPA Website

https://www.openpolicyagent.org/docs/latest/



What is OPA?

An open source, general purpose policy engine. A graduated project in CNCF (Cloud Native Computing Foundation). 

Uses a high-level language that lets users specify a policy as code and simple APIs for policy decision making.

Written in Go. Or Rego, which is OPAs policy language. https://pkg.go.dev/github.com/open-policy-agent/opa/rego



Experimentation:

OPA Playground - https://play.openpolicyagent.org/



Approach 1: Go Application Integration with OPA

Develop a Go application that seamlessly integrates with Open Policy Agent (OPA), leveraging the OPA Rego language, and incorporates Kafka for event-driven communication.

  •  

    • Use the OPA Go SDK to integrate OPA into the Go application.

    • Establish a secure communication channel between the Go application and OPA.

    • Develop a clear and concise mechanism for defining policies using the OPA Rego language within the Go application.

    • Implement logic for evaluating policies using the OPA Rego engine.

    • Enable the Go application to dynamically load and update policies from OPA for real-time adjustments.

    • Implement Kafka producers to publish policy-related events when policy decisions are made.

    • Implement Kafka consumers to listen for policy-related events and trigger appropriate actions.

Approach 2: Java Sidecar Integration with OPA

Develop a Java sidecar to seamlessly integrate with Open Policy Agent (OPA) for dynamic policy enforcement within Java-based applications.

  •  

    • Utilize HTTP REST APIs for secure communication with OPA.

    • Implement Java HTTP clients to send policy queries and receive decisions from OPA.

    • Design a Java API for defining and enforcing policies.

    • Implement a mechanism for dynamically updating policies from OPA.

    • Integrate with Kafka for asynchronous communication with other components of the PF.

    • Implement Kafka producers or consumers for policy-related events.



Conclusion: Both approaches involve integrating OPA for policy enforcement, with the first approach additionally incorporating Kafka for event-driven communication. The choice between a Java sidecar and a Go application is yet to be decided.



https://www.openpolicyagent.org/docs/latest/#5-try-opa-as-a-go-library



Notes/Considerations from the policy weekly discussion:

Re-implement the PAP interaction with PDPs?

Convert ONAP policies to be OPA compatible? 

Convert OPA policies to be ONAP compatible?

Others?