opa

Description

The opa Plugin can be used to integrate with Open Policy Agent. This can help you decouple functions such as authentication and access to services and reduce the complexity of your system.

Attributes

NameTypeRequiredDefaultValid valuesDescription
hoststringTrueHost address of the OPA service. For example, https://localhost:8181.
ssl_verifybooleanFalsetrueWhen set to true verifies the SSL certificates.
policystringTrueOPA policy path. A combination of package and decision. While using advanced features like custom response, you can omit decision.
timeoutintegerFalse3000ms[1, 60000]msTimeout for the HTTP call.
keepalivebooleanFalsetrueWhen set to true, keeps the connection alive for multiple requests.
keepalive_timeoutintegerFalse60000ms[1000, …]msIdle time after which the connection is closed.
keepalive_poolintegerFalse5[1, …]msConnection pool limit.
with_routebooleanFalsefalseWhen set to true, sends information about the current Route.
with_servicebooleanFalsefalseWhen set to true, sends information about the current Service.
with_consumerbooleanFalsefalseWhen set to true, sends information about the current Consumer. Note that this may send sensitive information like the API key. Make sure to turn it on only when you are sure it is safe.

Data definition

APISIX to OPA service

The JSON below shows the data sent to the OPA service by APISIX:

  1. {
  2.     "type": "http",
  3.     "request": {
  4.         "scheme": "http",
  5.         "path": "\/get",
  6.         "headers": {
  7.             "user-agent": "curl\/7.68.0",
  8.             "accept": "*\/*",
  9.             "host": "127.0.0.1:9080"
  10.         },
  11.         "query": {},
  12.         "port": 9080,
  13.         "method": "GET",
  14.         "host": "127.0.0.1"
  15.     },
  16.     "var": {
  17.         "timestamp": 1701234567,
  18.         "server_addr": "127.0.0.1",
  19.         "server_port": "9080",
  20.         "remote_port": "port",
  21.         "remote_addr": "ip address"
  22.     },
  23.     "route": {},
  24.     "service": {},
  25.     "consumer": {}
  26. }

Each of these keys are explained below:

  • type indicates the request type (http or stream).
  • request is used when the type is http and contains the basic request information (URL, headers etc).
  • var contains the basic information about the requested connection (IP, port, request timestamp etc).
  • route, service and consumer contains the same data as stored in APISIX and are only sent if the opa Plugin is configured on these objects.

OPA service to APISIX

The JSON below shows the response from the OPA service to APISIX:

  1. {
  2.     "result": {
  3.         "allow": true,
  4.         "reason": "test",
  5.         "headers": {
  6.             "an": "header"
  7.         },
  8.         "status_code": 401
  9.     }
  10. }

The keys in the response are explained below:

  • allow is indispensable and indicates whether the request is allowed to be forwarded through APISIX.
  • reason, headers, and status_code are optional and are only returned when you configure a custom response. See the next section use cases for this.

Example usage

First, you need to launch the Open Policy Agent environment:

  1. docker run -d --name opa -p 8181:8181 openpolicyagent/opa:0.35.0 run -s

Basic usage

Once you have the OPA service running, you can create a basic policy:

  1. curl -X PUT '127.0.0.1:8181/v1/policies/example1' \
  2.     -H 'Content-Type: text/plain' \
  3.     -d 'package example1
  5. import input.request
  7. default allow = false
  9. allow {
  10.     # HTTP method must GET
  11.     request.method == "GET"
  12. }'

Then, you can configure the opa Plugin on a specific Route:

  1. curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/r1' \
  2.     -H 'X-API-KEY: <api-key>' \
  3.     -H 'Content-Type: application/json' \
  4.     -d '{
  5.     "uri": "/*",
  6.     "plugins": {
  7.         "opa": {
  8.             "host": "http://127.0.0.1:8181",
  9.             "policy": "example1"
  10.         }
  11.     },
  12.     "upstream": {
  13.         "nodes": {
  14.             "httpbin.org:80": 1
  15.         },
  16.         "type": "roundrobin"
  17.     }
  18. }'

Now, to test it out:

  1. curl -i -X GET 127.0.0.1:9080/get
  1. HTTP/1.1 200 OK

Now if we try to make a request to a different endpoint the request will fail:

  1. curl -i -X POST 127.0.0.1:9080/post
  1. HTTP/1.1 403 FORBIDDEN

Using custom response

You can also configure custom responses for more complex scenarios:

  1. curl -X PUT '127.0.0.1:8181/v1/policies/example2' \
  2.     -H 'Content-Type: text/plain' \
  3.     -d 'package example2
  5. import input.request
  7. default allow = false
  9. allow {
  10.     request.method == "GET"
  11. }
  13. # custom response body (Accepts a string or an object, the object will respond as JSON format)
  14. reason = "test" {
  15.     not allow
  16. }
  18. # custom response header (The data of the object can be written in this way)
  19. headers = {
  20.     "Location": "http://example.com/auth"
  21. } {
  22.     not allow
  23. }
  25. # custom response status code
  26. status_code = 302 {
  27.     not allow
  28. }'

Now you can test it out by changing the opa Plugin’s policy parameter to example2 and then making a request:

  1. curl -i -X GET 127.0.0.1:9080/get
  1. HTTP/1.1 200 OK

Now if you make a failing request, you will see the custom response from the OPA service:

  1. curl -i -X POST 127.0.0.1:9080/post
  1. HTTP/1.1 302 FOUND
  2. Location: http://example.com/auth
  4. test

Sending APISIX data

Let’s think about another scenario, when your decision needs to use some APISIX data, such as route, consumer, etc., how should we do it?

If your OPA service needs to make decisions based on APISIX data like Route and Consumer details, you can configure the Plugin to do so.

The example below shows a simple echo policy which will return the data sent by APISIX as it is:

  1. curl -X PUT '127.0.0.1:8181/v1/policies/echo' \
  2.     -H 'Content-Type: text/plain' \
  3.     -d 'package echo
  5. allow = false
  6. reason = input'

Now we can configure the Plugin on the Route to send APISIX data:

  1. curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/r1' \
  2.     -H 'X-API-KEY: <api-key>' \
  3.     -H 'Content-Type: application/json' \
  4.     -d '{
  5.     "uri": "/*",
  6.     "plugins": {
  7.         "opa": {
  8.             "host": "http://127.0.0.1:8181",
  9.             "policy": "echo",
  10.             "with_route": true
  11.         }
  12.     },
  13.     "upstream": {
  14.         "nodes": {
  15.             "httpbin.org:80": 1
  16.         },
  17.         "type": "roundrobin"
  18.     }
  19. }'

Now if you make a request, you can see the data from the Route through the custom response:

  1. curl -X GET 127.0.0.1:9080/get
  2. {
  3.     "type": "http",
  4.     "request": {
  5.         xxx
  6.     },
  7.     "var": {
  8.         xxx
  9.     },
  10.     "route": {
  11.         xxx
  12.     }
  13. }

Disable Plugin

To disable the opa Plugin, you can delete the corresponding JSON configuration from the Plugin configuration. APISIX will automatically reload and you do not have to restart for this to take effect.

  1. curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value='
  2. {
  3.     "methods": ["GET"],
  4.     "uri": "/hello",
  5.     "plugins": {},
  6.     "upstream": {
  7.         "type": "roundrobin",
  8.         "nodes": {
  9.             "127.0.0.1:1980": 1
  10.         }
  11.     }
  12. }'