brewOPA is an extensible open-source framework that enables developers to easily brew data access control policies for Open Policy Agent (OPA) by writing them in the human-friendly YAML.
Instantiate the validator with the brewOPA rego module.
validator, err := brewOPA.NewValidatorFromRego("../rego/brewOPA.rego")
if err != nil {
fmt.Print("failed to create validator: %v", err)
}
Configure the validator with one or more data access policies.
data, err := ioutil.ReadFile("../rego/sample_data/policy.yaml")
if err != nil {
fmt.Printf("failed to decode yaml: %v", err)
return
}
policy, err := brewOPA.AccessPolicyFromYAML(data)
if err != nil {
fmt.Print("failed to create access policy from YAML: %v", err)
return
}
err = validator.AddPolicy("myPolicy", policy)
if err != nil {
fmt.Printf("failed to add policy")
return
}
Create and validate accesses to data.
access := brewOPA.NewAccess("invoices", "bob", 10, brewOPA.AccessTypeRead,
brewOPA.TablesReferenced([]string{"finance.cards"}),
brewOPA.ColumnsReferenced(map[string][]string{
"finance.cards": []string{"card_number", "credit_limit"},
}),
)
result, err := validator.Validate(context.Background(), access)
if err != nil {
fmt.Printf("failed to validate access: %v", err)
return
}
Start OPA as a service (listening on port 8181 by default)
opa run -s
Create the access policy module
curl localhost:8181/v1/policies/brewOPA \
-X PUT \
-H "Content-Type: text/plain" \
--data-binary @rego/brewOPA.rego
Deposit access policy to the namespace policies/:policyID
Here, we deposit JSON (generated from the YAML using yq) because OPA's REST API doesn't support YAML.
curl localhost:8181/v1/data/policies/myPolicy \
-X PUT \
-H "Content-Type: text/plain" \
-d '{
"sensitiveAttrs": ["card_number", "credit_limit", "card_family"],
"locations": [
{
"repo": "invoices",
"schema": "finance",
"table": "cards"
}
],
"rules": [
{
"deletes": {
"allow": true,
"rows": 1
},
"identities": ["bob"],
"reads": {
"allow": true,
"attributes": ["credit_limit", "card_family"],
"rows": 10
},
"updates": {
"allow": true,
"attributes": ["credit_limit"],
"rows": 1
}
}
],
"defaultRule": {
"deletes": {
"allow": false
},
"reads": {
"allow": true,
"attributes": "any",
"rows": 1
},
"updates": {
"allow": false
}
}
}'
Query the access policy module providing data access parameters as input
curl localhost:8181/v1/data/dbAccess/main\?pretty\=true \
-X POST \
-H "Content-Type: application/json" \
-d '{
"input": {
"user": "bob",
"repo": "clinics",
"accessType": "SELECT",
"tablesReferenced": ["finance.cards"],
"columnsReferenced": {
"finance.cards": ["cust_id", "card_number", "credit_limit"]
},
"rowsAffected": 10
}
}'