snazy commented on code in PR #3030: URL: https://github.com/apache/polaris/pull/3030#discussion_r2517257080
########## site/content/in-dev/unreleased/managing-security/external-pdp/opa.md: ########## @@ -0,0 +1,363 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +title: Open Policy Agent (OPA) Integration +linkTitle: OPA +type: docs +weight: 100 +--- + +{{% alert title="Experimental Feature" color="warning" %}} +**OPA integration is currently an experimental feature** and may undergo breaking changes in future versions. Use with caution in production environments. +{{% /alert %}} + +This page describes how to integrate Apache Polaris (Incubating) with [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) for external authorization. + +## Overview + +Open Policy Agent (OPA) is a general-purpose policy engine that enables unified, context-aware policy enforcement across your stack. OPA provides a high-level declarative language (Rego) for authoring policies and APIs to offload policy decision-making from your software. + +Key benefits of using OPA with Polaris: + +- **Flexible policy language**: Write authorization logic in Rego, a powerful declarative language +- **Centralized policy management**: Manage all policies in a single location +- **Policy testing**: Write unit tests for your authorization policies +- **Rich ecosystem**: Integrate with policy bundles, decision logs, and management tools +- **Attribute-based access control**: Make decisions based on user attributes, resource properties, and environmental context + +## Prerequisites + +Before configuring OPA integration: + +1. **OPA Server**: Deploy and configure an OPA server accessible from Polaris +2. **Policy Definition**: Write and deploy authorization policies to OPA +3. **Network Access**: Ensure Polaris can reach the OPA server + +## Quick Start + +### 1. Deploy OPA + +Deploy OPA server with your policies. For example, using Docker: + +```bash +docker run -d \ + --name opa \ + -p 8181:8181 \ + -v $(pwd)/policies:/policies \ + openpolicyagent/opa:latest \ + run --server --addr :8181 /policies +``` + +### 2. Create a Policy + +Create a policy file (e.g., `policies/polaris.rego`): + +```rego Review Comment: Too sad - guess we need to bump the Hugo version to get syntax highlighting for Rego (not for this PR tho). ########## site/content/in-dev/unreleased/managing-security/external-pdp/opa.md: ########## @@ -0,0 +1,363 @@ +--- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. +# +title: Open Policy Agent (OPA) Integration +linkTitle: OPA +type: docs +weight: 100 +--- + +{{% alert title="Experimental Feature" color="warning" %}} +**OPA integration is currently an experimental feature** and may undergo breaking changes in future versions. Use with caution in production environments. +{{% /alert %}} Review Comment: Guess you want this? ```suggestion {{< alert warning "Experimental Feature" >}} **OPA integration is currently an experimental feature** and may undergo breaking changes in future versions. Use with caution in production environments. {{< /alert >}} ``` ########## site/content/in-dev/unreleased/managing-security/_index.md: ########## @@ -25,4 +25,6 @@ weight: 550 ## [Access Control]({{< relref "access-control" >}}) -## [Authentication and Identity Providers]({{< relref "external-idp" >}}) \ No newline at end of file +## [Authentication and Identity Providers]({{< relref "external-idp" >}}) + +## [External Policy Decision Point]({{< relref "external-pdp" >}}) Review Comment: I know the `##` were there before, but would you mind changing this to a bullet-list? ```suggestion * [Access Control]({{< relref "access-control" >}}) * [Authentication and Identity Providers]({{< relref "external-idp" >}}) * [External Policy Decision Point]({{< relref "external-pdp" >}}) (PDP), including Open-Policy-Agent (OPA) ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
