brewOPA

Data access control via OPA REST APIs

Start OPA as a service (listening on port 8181 by default)

opa run -s

Create the access policy module

curl localhost:8181/v1/policies/brewOPA \
-X PUT \
-H "Content-Type: text/plain" \
--data-binary @rego/brewOPA.rego

Deposit access policy to the namespace policies/:policyID Here, we deposit JSON (generated from the YAML using yq) because OPA's REST API doesn't support YAML.

curl localhost:8181/v1/data/policies/myPolicy \
-X PUT \
-H "Content-Type: text/plain" \
-d '{
"sensitiveAttrs": ["card_number", "credit_limit", "card_family"],
"locations": [
{
"repo": "invoices",
"schema": "finance",
"table": "cards"
}
],
"rules": [
{
"deletes": {
"allow": true,
"rows": 1
},
"identities": ["bob"],
"reads": {
"allow": true,
"attributes": ["credit_limit", "card_family"],
"rows": 10
},
"updates": {
"allow": true,
"attributes": ["credit_limit"],
"rows": 1
}
}
],
"defaultRule": {
"deletes": {
"allow": false
},
"reads": {
"allow": true,
"attributes": "any",
"rows": 1
},
"updates": {
"allow": false
}
}
}'

Query the access policy module providing data access parameters as input

curl localhost:8181/v1/data/dbAccess/main\?pretty\=true \
-X POST \
-H "Content-Type: application/json" \
-d '{
"input": {
"user": "bob",
"repo": "clinics",
"accessType": "SELECT",
"tablesReferenced": ["finance.cards"],
"columnsReferenced": {
"finance.cards": ["cust_id", "card_number", "credit_limit"]
},
"rowsAffected": 10
}
}'