The document discusses the Open Policy Agent (OPA), a general-purpose policy engine aimed at unifying policy enforcement across various applications and services. It covers use cases such as admission control, authorization, and data protection while highlighting how OPA works with policies written in Rego and its integration with other platforms. Additionally, the presentation includes examples, scenarios, and future capabilities including support for WebAssembly for improved policy enforcement in serverless and edge computing environments.

1. Open Policy Agent
Deep Dive @ KubeCon Seattle 2018

2. openpolicyagent.org
who am I?
● Engineer @ Styra
● Co-founder of Open Policy Agent
● @sometorin
● Based in SF
● Happy to see some rain 💧
○ Originally from Vancouver 🇨🇦

3. openpolicyagent.org
Example: pets.com
accountspayments promotions notifications
SQL
portal
S3
SNS
bob (customer)
alice (support)
pets.com backend

4. openpolicyagent.org
Example: pets.com
accountspayments promotions notifications
SQL
portal
S3
SNS
bob (customer)
alice (support)alice (support)
pets.com backend

5. openpolicyagent.org
Example: pets.com
accountspayments promotions notifications
SQL
portal
S3 SNS
"Support staff can view customer
data if they are assigned to an open
ticket for that customer."

6. openpolicyagent.org
Example: pets.com
accountspayments promotions notifications
SQL
portal
S3 SNS
"Support staff can view customer
data if they are assigned to an open
ticket for that customer."
authz authz authz authz
authzauthz authz
authz

7. openpolicyagent.org
Example: pets.com
accountspayments promotions notifications
SQL
portal
S3 SNS
"Support staff can view customer
data if they are assigned to an open
ticket for that customer."
authz authz authz authz
authzauthz authz
● How do you enforce new policies from infosec,
compliance, or legal?
● How do you delegate control to your end-users?
● How do you roll-out policy changes?
● How do you leverage context, e.g., HR DB?
● How do you render UIs based on policy?
● How do you test your policies for correctness?
● What about 100+ services written in Java, Ruby, ...
authz

8. OPA: General-purpose policy engine
Inception
Project started in 2016 at
Styra.
Goal
Unify policy enforcement
across the stack.
Use Cases
Admission control
Authorization
ACLs
RBAC
IAM
ABAC
Risk management
Data Protection
Data Filtering
Users
Netflix
Chef
Medallia
Cloudflare
State Street
Pinterest
Intuit
Capital One
...and many more.
Today
CNCF project (Sandbox)
36 contributors
400 slack members
1.6K stars
20+ integrations

9. How does OPA work?

10. openpolicyagent.org
OPA: General-purpose policy engine
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query

11. openpolicyagent.org
OPA: General-purpose policy engine
Accounts Service
OPA
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
GET /accounts/bob HTTP/1.1
Authorization: alice

12. openpolicyagent.org
OPA: General-purpose policy engine
Accounts Service
OPA
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
GET /accounts/bob HTTP/1.1
Authorization: alice
{
method: "GET",
path: ["accounts", "bob"],
user: "alice"
}
true or false

13. openpolicyagent.org
OPA: General-purpose policy engine
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
Linux PAM

14. openpolicyagent.org
OPA: General-purpose policy engine
Service
OPA
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
Linux PAM
Input can be ANY JSON value.
Output can be ANY JSON value.

15. Hands on!
Example Policy
1. Users can view their own accounts.
2. Support can view accounts if they
are assigned to an open ticket on
that account.

16. New features & use cases

17. OPA & Data Filtering

18. openpolicyagent.org
Example Scenario
Petdetails
GET /pets
Authorization: bob
SELECT * FROM pets
DB
name owner age
Fluffy Bob 7
Muffin Alice 3
King Janet 12

19. openpolicyagent.org
Example Scenario
Petdetails
GET /pets
Authorization: bob
SELECT * FROM pets
DB
name owner age
Fluffy Bob 7
Muffin Alice 3
King Janet 12
Example policy:
"Veterinarians are
allowed see details of
pets they are treating."

20. openpolicyagent.org
Example Scenario
Petdetails
GET /pets
Authorization: bob
SELECT * FROM pets
WHERE pets.veterinarian = "bob"
DB
name owner age
Fluffy Bob 7
Muffin Alice 3
King Janet 12
Example policy:
"Veterinarians are
allowed see details of
pets they are treating."

21. openpolicyagent.org
Example Scenario
Petdetails
GET /pets
Authorization: bob
SELECT * FROM pets
WHERE pets.veterinarian = "bob"
DB
name owner age
Fluffy Bob 7
Muffin Alice 3
King Janet 12
Example policy:
"Veterinarians are
allowed see details of
pets they are treating."
Logic to construct WHERE clause
is hardcoded into the service.

22. openpolicyagent.org
Example Scenario
Petdetails
GET /pets
Authorization: bob
SELECT * FROM pets
WHERE pets.veterinarian = "bob"
AND pets.clinic = "main st"
DB
name owner age
Fluffy Bob 7
Muffin Alice 3
King Janet 12
Example policy:
"Veterinarians are
allowed see details of
pets they are treating."
Policy
(Rego)

23. Demo

24. openpolicyagent.org
Partial Evaluation & SQL Translation
Petdetails OPA
conditions
(SQL predicate)
DB
GET /pets
Authorization: bob
SELECT * FROM pets
WHERE pets.owner = "bob"
policy
query
Policy
(rego)
true or false
blog.openpolicyagent.org
"Write Policy in OPA. Enforce Policy in SQL."

25. OPA & WebAssembly

26. openpolicyagent.org
● Binary instruction format for virtual machines
○ Safe, efficient, open
● Compilation target for C, C++, Rust, Go, ...
● Supported by Chrome, Safari, Firefox, and IE
● Non-web embeddings
○ IoT
○ Desktop/mobile
○ Servers
○ Blockchain!
What is WebAssembly (Wasm)?

27. openpolicyagent.org
What does Wasm have to do with OPA?
● Library integrations are simpler
○ Less overhead (performance)
○ Less operational complexity (security, monitoring)
● Some platforms are more likely to embed Wasm runtimes than OPA
○ Cloudflare announced support for Wasm workers earlier this year
○ Envoy considering including a Wasm runtime
● How do you enforce policies in serverless and edge computing
environments?

28. Demo

29. openpolicyagent.org
Thank You!
open-policy-agent/opa
slack.openpolicyagent.org
Contributing? Say hello! Or see low-hanging-fruit and help-wanted issues.
tsandall/kubecon-seattle-2018