Check out OPAL main repo here.
This repo contain an example git repo containing a basic OPA policy written in Rego.
This repo is used in OPAL's Getting Started tutorial to demonstrate how OPAL keeps your OPA agents in sync with policy and data changes. When commits are affecting this repo, the OPAL server will immediately push updates (over websockets pub/sub interface) to the connected OPAL clients, and they in turn will push the updated policy and data to OPA.
If you follow the tutorial, you will see how this repo is used by OPAL in a real example running in docker-compose. The entire tutorial is also available as video.
This repo has a very simple RBAC policy:
- each user is granted certain roles
- a user can perform an action on a resource, only if:
- one of his roles has permission to do so
- the user "location" is in the US (a special twist that is non-standard to RBAC, but is useful for the tutorial)
- a user with admin role can do anything
OPA enables decoupling policy from code in your applications, and enables you to evolve your application and your authorization policies (i.e: "permissions logic") separately.
Companies like Netflix and Pinterest built their authorization layer using OPA
OPAL is an administration layer for Open Policy Agent (OPA), detecting changes to both policy and policy data in realtime and pushing live updates to your agents.
OPAL brings open-policy up to the speed needed by live applications. As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need).
Check out OPAL's main site at OPAL.ac.