Open Policy Agent (OPA) Support in WSO2 API Manager
In this article, I discuss how to attach an OPA policy to an API in WSO2 API Manager using a sample scenario
Open Policy Agent (OPA) is an open source and general-purpose policy engine that unifies policy enforcement across the stack. OPA is supported in WSO2 API Manager 4.1.0 onwards. Following steps will guide you on how to apply an OPA policy to an API.
- Run OPA as a server using Docker.
docker run -p 8181:8181 openpolicyagent/opa run --server --log-level debug
Note:
You can test whether OPA is available usingcurl -i localhost:8181/
2. Start WSO2 API Manager.
3. Deploy the sample PizzaShackAPI.
4. Go to API Configurations → Policies section.
5. Drag and drop Validate Request with OPA
policy to the Request Flow of /order/{orderId}
operation, then a side menu will appear to configure the OPA server.
6. Insert only the following required values to configure the OPA server for this sample scenario.
7. Click on Save and Deploy button to deploy the API.
8. Create and save pizzashack_order_policy.rego
file.
package pizzashack.order
import future.keywords.if
default allow := false
allow if {
is_get
count(order_id) == 36
}
is_get if {
input.method == "GET"
}
order_id := substring(input.path, count("/pizzashack/1.0.0/order/"), -1)
This policy checks whether the request method is GET and length of
orderId
is 36.
9. Publish pizzashack_order_policy.rego
file to OPA server.
curl -X PUT -H "Content-Type: text/plain" --data-binary @pizzashack_order_policy.rego http://localhost:8181/v1/policies/pizzashack_order_policy
10. Create an order using /order
operation in Tryout section and copy the orderId
.
11. Try to invoke /order/orderId operation using the copied orderId and orderId with different length.
That’s it! Hope you learned 101 of attaching an OPA policy for an API in WSO2 API Manager. Thank you for reading my article.