Function Description

This plugin implements OPA policy control.

Running Attributes

Plugin Execution Phase: Authentication Phase
Plugin Execution Priority: 225

Configuration Fields

FieldData TypeRequiredDefault ValueDescription
policystringRequired-OPA Policy
timeoutstringRequired-Timeout setting for access
serviceSourcestringRequired-k8s, nacos, ip, route
hoststringOptional-Service host (required if serviceSource is ip)
serviceNamestringOptional-Service name (required if serviceSource is k8s,nacos,ip)
servicePortstringOptional-Service port (required if serviceSource is k8s,nacos,ip)
namespacestringOptional-Namespace (required if serviceSource is k8s,nacos)

Configuration Example

  1. serviceSource: k8s
  2. serviceName: opa
  3. servicePort: 8181
  4. namespace: higress-backend
  5. policy: example1
  6. timeout: 5s

OPA Service Installation Reference

Start OPA Service

  1. docker run -d name opa -p 8181:8181 openpolicyagent/opa:0.35.0 run -s

Create OPA Policy

  1. curl -X PUT 127.0.0.1:8181/v1/policies/example1 \
  2.   -H Content-Type: text/plain \
  3.   -d package example1
  4. import input.request
  5. default allow = false
  6. allow {
  7.     # HTTP method must GET
  8.     request.method == GET
  9. }’

Query Policy

  1. curl -X POST 127.0.0.1:8181/v1/data/example1/allow \
  2.   -H Content-Type: application/json \
  3.   -d ‘{“input”:{“request”:{“method”:”GET”}}}’