juzhiyuan commented on a change in pull request #5970: URL: https://github.com/apache/apisix/pull/5970#discussion_r776939207
########## File path: docs/en/latest/plugins/opa.md ########## @@ -0,0 +1,275 @@ +--- +title: opa +--- + +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +--> + +## Summary + +- [**Description**](#description) +- [**Attributes**](#attributes) +- [**Data Definition**](#data-definition) +- [**Example**](#example) + +## Description + +The `opa` plugin is used to integrate with Open Policy Agent. By using this plugin, users can decouple functions such as authentication and access to services and reduce the complexity of the application system. Review comment: Do we need to add a link to it? ```suggestion The `opa` plugin is used to integrate with [Open Policy Agent](https://www.openpolicyagent.org/). By using this plugin, users can decouple functions such as authentication and access to services and reduce the complexity of the application system. ``` ########## File path: docs/en/latest/plugins/opa.md ########## @@ -0,0 +1,275 @@ +--- +title: opa +--- + +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +--> + +## Summary + +- [**Description**](#description) +- [**Attributes**](#attributes) +- [**Data Definition**](#data-definition) +- [**Example**](#example) + +## Description + +The `opa` plugin is used to integrate with Open Policy Agent. By using this plugin, users can decouple functions such as authentication and access to services and reduce the complexity of the application system. + +## Attributes + +| Name | Type | Requirement | Default | Valid | Description | +| -- | -- | -- | -- | -- | -- | +| host | string | required | | | Open Policy Agent service host (eg. https://localhost:8181) | +| ssl_verify | boolean | optional | true | | Whether to verify the certificate | +| policy | string | required | | | OPA policy path (It is a combination of `package` and `decision`. When you need to use advanced features such as custom response, `decision` can be omitted) | +| timeout | integer | optional | 60000ms | [1, 60000]ms | HTTP call timeout. | +| keepalive | boolean | optional | true | | HTTP keepalive | +| keepalive_timeout | integer | optional | 60000ms | [1000,...] | keepalive idle timeout | +| keepalive_pool | integer | optional | 5 | [1,...] | Connection pool limit | +| with_route | boolean | optional | false | | Whether to send information about the current route. | +| with_service | boolean | optional | false | | Whether to send information about the current service. | +| with_consumer | boolean | optional | false | | Whether to send information about the current consumer. (It may contain sensitive information such as apikey, so please turn it on only if you are sure it is safe) | + +## Data Definition + +### APISIX to OPA service + +The `type` indicates that the request type. (e.g. `http` or `stream`) +The `reqesut` is used when the request type is `http`, it contains the basic information of the request. (e.g. url, header) +The `var` contains basic information about this requested connection. (e.g. IP, port, request timestamp) +The `route`, `service`, and `consumer` will be sent only after the `opa` plugin has enabled the relevant features, and their contents are same as those stored by APISIX in etcd. + +```json +{ + "type": "http", + "request": { + "scheme": "http", + "path": "\/get", + "headers": { + "user-agent": "curl\/7.68.0", + "accept": "*\/*", + "host": "127.0.0.1:9080" + }, + "query": {}, + "port": 9080, + "method": "GET", + "host": "127.0.0.1" + }, + "var": { + "timestamp": 1701234567, + "server_addr": "127.0.0.1", + "server_port": "9080", + "remote_port": "port", + "remote_addr": "ip address" + }, + "route": {}, + "service": {}, + "consumer": {} +} +``` + +### OPA service response to APISIX + +In the response, `result` is automatically added by OPA. The `allow` is indispensable and will indicate whether the request is allowed to be forwarded through the APISIX. +The reason, headers, and status_code are optional and are only returned when you need to use a custom response, as you'll see in the next section with the actual use case for it. + +```json +{ + "result": { Review comment: Let's use 2 spaces here? ########## File path: docs/en/latest/plugins/opa.md ########## @@ -0,0 +1,275 @@ +--- +title: opa +--- + +<!-- +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +--> + +## Summary + +- [**Description**](#description) +- [**Attributes**](#attributes) +- [**Data Definition**](#data-definition) +- [**Example**](#example) + +## Description + +The `opa` plugin is used to integrate with Open Policy Agent. By using this plugin, users can decouple functions such as authentication and access to services and reduce the complexity of the application system. + +## Attributes + +| Name | Type | Requirement | Default | Valid | Description | +| -- | -- | -- | -- | -- | -- | +| host | string | required | | | Open Policy Agent service host (eg. https://localhost:8181) | +| ssl_verify | boolean | optional | true | | Whether to verify the certificate | +| policy | string | required | | | OPA policy path (It is a combination of `package` and `decision`. When you need to use advanced features such as custom response, `decision` can be omitted) | +| timeout | integer | optional | 60000ms | [1, 60000]ms | HTTP call timeout. | Review comment: Hi, some users report that they have no idea what's the meaning of `[a, b]` 😄 only supporting 1 or 60000? or it means >= 1 and <= 60000? ```suggestion | timeout | integer | optional | 60000ms | [1, 60000]ms | HTTP call timeout. | ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
