This article introduces the opa plug-in as an example of HTTP API and details how to integrate Apache with OPA to decouple the authentication authorization of back-end services.

Open Policy Agent (OPA) is an open source lightweight general-purpose policy engine that can replace the built-in policy function module in software and help users decouple services from the policy engine. Thanks to OPA's well-established ecosystem, users can easily integrate OPA with other services, such as program libraries, HTTP APIs, etc.

As shown in the figure below, OPA first describes the policy through the policy language Rego; then stores the policy data through JSON, after which the user can send a query request. After receiving the query request, OPA will combine the policy, data and user input to generate a policy decision and send the decision to the service.

Plugin Introduction​

Apache provides an opa plug-in that allows users to conveniently introduce the policy capabilities provided by OPA to Apache to enable flexible authentication and access control features.

After configuring the opa plug-in on a route, Apache assembles request information, connection information, etc. into JSON data and sends it to the policy decision API address when processing response requests. As long as the policy deployed in OPA conforms to the data specification set by Apache , functions such as pass request, reject request, custom status code, custom response header, custom response header, etc. can be implemented.

This article takes HTTP API as an example to introduce the opa plug-in and details how to integrate Apache with OPA to decouple authentication authorization for back-end services.

How to use​

Build test environment​

1. Use Docker to build OPA services.

   # Running OPA with Dockerdocker run -d --name opa -p 8181:8181 openpolicyagent/opa:0.35.0 run -s

   Copy

2. Create an example policy.

   # Create policycurl -XPUT 'localhost:8181/v1/policies/example' \--header 'Content-Type: text/plain' \--data-raw 'package exampleimport input.requestimport data.usersdefault allow = falseallow {    # has the name test-header with the value only-for-test request header    request.headers["test-header"] == "only-for-test"    # The request method is GET    request.method == "GET"    # The request path starts with /get    startswith(request.path, "/get")    # GET parameter test exists and is not equal to abcd    request.query["test"] != "abcd"    # GET parameter user exists    request.query["user"]}reason = users[request.query["user"]].reason {    not allow    request.query["user"]}headers = users[request.query["user"]].headers {    not allow    request.query["user"]}status_code = users[request.query["user"]].status_code {    not allow    request.query["user"]}'

   Copy

3. Create users data.

   # Create test user datacurl -XPUT 'localhost:8181/v1/data/users' \--header 'Content-Type: application/json' \--data-raw '{    "alice": {        "headers": {            "Location": "http://example.com/auth"        },        "status_code": 302    },    "bob": {        "headers": {            "test": "abcd",            "abce": "test"        }    },    "carla": {        "reason": "Give you a string reason"    },    "dylon": {        "headers": {            "Content-Type": "application/json"        },        "reason": {            "code": 40001,            "desc": "Give you a object reason"        }    }}'

   Copy

Create a route and enable the plugin​

Run the following command to create the route and enable the opa plugin.

curl -XPUT 'http://127.0.0.1:9080//admin/routes/r1' \--header 'X-API-KEY: <api-key>' \--header 'Content-Type: application/json' \--data-raw '{    "uri": "/*",    "methods": [        "GET",        "POST",        "PUT",        "DELETE"    ],    "plugins": {        "opa": {            "host": "http://127.0.0.1:8181",            "policy": "example"        }    },    "upstream": {        "nodes": {            "httpbin.org:80": 1        },        "type": "roundrobin"    }}'

Test Requests​

Next, run the following command to send a request to the opa plugin to test the plugin's running status.

# Allow requestscurl -XGET '127.0.0.1:9080/get?test=none&user=dylon' \    --header 'test-header: only-for-test'{    "args": {        "test": "abcd1",        "user": "dylon"    },    "headers": {        "Test-Header": "only-for-test",        "with": "more"    },    "origin": "127.0.0.1",    "url": "http://127.0.0.1/get?test=abcd1&user=dylon"}# Reject the request and rewrite the status code and response headerscurl -XGET '127.0.0.1:9080/get?test=abcd&user=alice' \    --header 'test-header: only-for-test'HTTP/1.1 302 Moved TemporarilyDate: Mon, 20 Dec 2021 09:37:35 GMTContent-Type: text/htmlContent-Length: 142Connection: keep-aliveLocation: http://example.com/authServer: /2.11.0# Rejects the request and returns a custom response headercurl -XGET '127.0.0.1:9080/get?test=abcd&user=bob' \    --header 'test-header: only-for-test'HTTP/1.1 403 ForbiddenDate: Mon, 20 Dec 2021 09:38:27 GMTContent-Type: text/html; charset=utf-8Content-Length: 150Connection: keep-aliveabce: testtest: abcdServer: /2.11.0# Rejects the request and returns a custom response (string)curl -XGET '127.0.0.1:9080/get?test=abcd&user=carla'<span class="token p