Applications > New Application > Appmark or Application > Authorization Policies > OPA Policy
Single Sign-on uses the Open Policy Agent (OPA) as the authorization policy engine. You can create an OPA policy in Single Sign-on using the OPA policy language . The Single Sign-on allows you to create a Policy Document using Rego and a standard OPA Data Document. The Data Document editor validates JSON, helping ensure that you provide valid JSON for the Data Document.
OPA provides The Rego Playground that contains simple examples of OPA policies created using the Rego language.
To create an OPA policy:
Select the plus sign + to add an authorization policy, then select OPA Policy.
Use the following information to create an OPA authorization policy:
Specify a name for the OPA authorization policy.
Specify a detailed description so that other administrators can understand what this OPA authorization policy does.
Select Enable to enable the OPA authorization policy after you save it. Single Sign-on ignores any disabled policy when it evaluates the policies.
Specify the unique path for your policy package. Single Sign-on appends the path to the end of the Authorization Service’s unique policy package path when it sends the Policy Document to the Rego policy engine. You designate the unique path for the policy package by adding the following command to the start of the Policy Document:
package{{PACKAGE}}
The Authorization Service replaces the {{PACKAGE}} tag with the Authorization Service’s unique policy package path and the Policy Package you specify here. For example, if you specified the value of the unique path as your.unique.path, the result of the final Policy Document would be:
authz.svc.unique.path.your.unique.path
Every Policy Document must be unique by defining a namespace for the Policy Document using the Rego keyword of package at the start of every Policy document. The Authorization Service also must add a unique path to the package designation.
To allow both the Authorization Service and the Policy Document creator to add a namespace to the Policy Document, Single Sign-on uses the following mechanism:
Specify the Evaluation Path that the Authorization Service uses to evaluate the Policy. The Authorization Service appends this path to the end of the URL used to send the policy evaluation request to the OPA Policy Engine.
You can create a Rego Policy Document with multiple evaluation paths. An evaluation path is defined as a dot-separated path into the Rego Policy Document that, if specified for evaluation, returns only the evaluation for that path. If a Rego Policy Document has many evaluation paths, evaluating the Rego Policy document without specifying an evaluation path executes and returns all the evaluation path results.
For example, in the following Rego Policy Document, the possible evaluation paths are hello and allow.
import future.keywords.if default hello := false default allow := false hello if input.message == "world" allow if input.message == "universe"
If you want to execute the allow evaluation point, then in Evaluation Path specify the path "allow". Otherwise, in this example Single Sign-on executes the Rego at the "root" evaluation path which returns both "hello" and "allow" as the results.
Create the OPA policy document that contains the OPA Rego policy definition. Standard Rego is required with the following exceptions:
You must designate the location of the Rego Policy Document policy package by placing the following command at the start of the Policy Document:
package{{PACKAGE}}You must designate the location where the OPA Data document namespace must be inserted into the Rego Policy document by placing the following tag anywhere a Data Document path is used. The following example illustrates the tag and its use:
allow if data.{{ENGINENAMESPACE}}.user_attr[input.user].title == "alloweduser"
When the Authorization Service sends the OPA Data Document to the OPA engine, it will namespace the data document using a unique identifier. You must include the auto-generated unique identifier in any Rego Policy Document path referencing the Data Document.
In the example above, the Authorization Service replaces the tag {{ENGINENAMESPACE}} with the auto-generated namespace for the data document. For example:
allow if data.authz.svc.path1.user_attr[input.user].title == "alloweduser"
Create the OPA data document that contains the hierarchical structured data in JSON format. This structured data represents static data that the Rego Policy Document uses to evaluate the policy.
The OPA Policy engine uses the Policy Document as the executable script; the Data Document as the static hierarchical structured data; and the Input Document, that is auto generated at run-time, as the dynamic hierarchical structured data, to evaluate the policy.
Select Save to save the OPA authorization policy.
(Conditional) Repeat Step 1 through Step 3 to create additional OPA authorization policies.