using open policy agent (OPA) as an ABAC system

Perhaps the most concrete answer is a detailed description of how Chef Automate uses OPA to implement application authorization.

More generally, we are planning a guide describing how to use OPA for application authorization--it requires more detail than a SO answer. But using OPA (or any policy engine) for application authorization depends a bit on your application, its architecture, your SLAs, etc. But here are a few key issues to consider:

  • Policy: how much expressiveness do your end-user policies need? Do they just define say user-attributes or user-roles, or do they map user attributes/roles to permissions too? OPA lets you solicit those end-user policies as JSON objects and then write policy rules that make decisions using those JSON objects. And for efficiency, you can compile those JSON objects into bona-fide OPA rules.
  • Enforcement: where do you need to enforce authorization policies (e.g. gateway, microservice, database)? Your requirements around latency, size of data, expressiveness of database query languages will all impact this decision. OPA is flexible enough to help with all of these and has a couple of specific integrations that will help: Envoy and similar service-mesh systems for microservices and SQL/ElasticSearch for databases.
  • Data: how much attribute data is there, how frequently does it change, what consistency guarantees do you need, what mechanisms do you have for getting the data into OPA (e.g. caches, event-streams). Here's a guide for injecting data into OPA; it uses LDAP/AD as an example data-source, but the principles are the same for any data-source.

We are always happy to talk through the details of your application and help you find the right fit for OPA. Feel free to reach out on the OPA slack channel.


OPA looks like it might be less complicated than authzforce

There are a couple pros and cons to either approach. First of all, as you realized both OPA and AuthZForce are ABAC implementations (you can read more on ABAC here and here).

OPA

Open Policy Agent is a relatively novel model aimed mainly (but not only) at tackling fine-grained authorization for infrastructure (e.g. Kubernetes). They even have pre-built integration points for Istio and Kubernetes. OPA provides a PEP (enforcement / integration) and a PDP (policy decision point) though it does not necessarily call them that way. The language it uses is called REGO (a derivative of DATALOG).

OPA itself appears to be a defacto PEP and PDP

Yes you are absolutely right and that puts the burden on you to implement an alternative for PIPs.

I feel like I'm drowning in the documentation and there seems to be quite a bit missing from OPAs own docs to explain how this can be done.

Reach out to Styra - they sell services around OPA. Alternatively reconsider your choice and look into XACML (see below).

Drawbacks

  • the language (REGO) is not easy to understand
  • the language is not standardized
  • OPA does not support Policy Information Points (PIP) - that's by design.

Implementations

I've been looking all over the internet for examples of OPA being used as an implementation for ABAC but I haven't found anything.

Have a look at the work they did at Netflix. That's the main implementation I am aware of. You can also reach out to Styra, the company behind OPA, and they'll be able to help out.

AuthZForce

AuthZForce is an open-source Java implementation of the XACML (eXtensible Access Control Markup Language xacml) standard. It provides a full ABAC implementation (PAP, PEP, PDP, PIP). It's part of Fiware (an open source initiative) and it's actively developed by a team at Thales.

AuthZForce Drawbacks

  • it does not seem to have a graphical interface to author policies. I found a reference to KEYROCK PAP but couldn't see any screenshot
  • it does not support ALFA, the abbreviated language for authorization.

Implementations

There are many other implementations of XACML you can consider (both open-source and commercial):

  • AT&T XACML
  • SunXACML
  • WSO2 - part of their WSO2 Identity Server platform - it's called Balana
  • Axiomatics (commercial - this is where I work) - we have a large customer base using our platform ranging from Fortune 50 companies to agile startups.

Benefits of XACML & ALFA

One of the key benefits of XACML / ALFA is that they are standards and widely adopted. The standard has been around since 2001 and interoperates with other standards e.g. SAML, OAuth, and SCIM.

Tags:

Authorization

Abac

Xacml

Alfa

Open Policy Agent

Related

compiled class problem in java try/catch block How to disable NavigationView push and pop animations Can I write `foldr` (or `foldMap`) in terms of 'recursion schemes' `cata`? Azure Pipeline to trigger Pipeline using YAML How to join many fragmented time series in one regular Pandas DataFrame in Python SIGABRT: Precondition failure: imported node deleted before its value was read Android - Program type already present com.transition.R while importing ViewPager2 library how to get input field value on button click in react? Published works for single object but not for array of objects How to overlay a layout on lock screen when in devices running Oreo and Pie Laravel: Form file uploads failing - incorrect type detected Fast method to multiply integer by proper fraction without floats or overflow

Recent Posts