Open Policy Agent (OPA) Support in WSO2 API Manager

In this article, I discuss how to attach an OPA policy to an API in WSO2 API Manager using a sample scenario

Binod Karunanayake
3 min readMay 18, 2023

Open Policy Agent (OPA) is an open source and general-purpose policy engine that unifies policy enforcement across the stack. OPA is supported in WSO2 API Manager 4.1.0 onwards. Following steps will guide you on how to apply an OPA policy to an API.

  1. Run OPA as a server using Docker.
docker run -p 8181:8181 openpolicyagent/opa run --server --log-level debug

Note:
You can test whether OPA is available using curl -i localhost:8181/

2. Start WSO2 API Manager.

3. Deploy the sample PizzaShackAPI.

4. Go to API Configurations → Policies section.

5. Drag and drop Validate Request with OPA policy to the Request Flow of /order/{orderId} operation, then a side menu will appear to configure the OPA server.

6. Insert only the following required values to configure the OPA server for this sample scenario.

7. Click on Save and Deploy button to deploy the API.

8. Create and save pizzashack_order_policy.rego file.

package pizzashack.order

import future.keywords.if

default allow := false

allow if {
is_get
count(order_id) == 36
}

is_get if {
input.method == "GET"
}

order_id := substring(input.path, count("/pizzashack/1.0.0/order/"), -1)

This policy checks whether the request method is GET and length of orderId is 36.

9. Publish pizzashack_order_policy.rego file to OPA server.

curl -X PUT -H "Content-Type: text/plain" --data-binary @pizzashack_order_policy.rego http://localhost:8181/v1/policies/pizzashack_order_policy

10. Create an order using /order operation in Tryout section and copy the orderId.

11. Try to invoke /order/orderId operation using the copied orderId and orderId with different length.

using a correct orderId with 36 characters
using a wrong orderId with different length
using a wrong orderId with 36 characters

That’s it! Hope you learned 101 of attaching an OPA policy for an API in WSO2 API Manager. Thank you for reading my article.

--

--

Binod Karunanayake
Binod Karunanayake

Written by Binod Karunanayake

PhD Candidate @RMIT University | Former Software Engineer @WSO2 | BSc Engineering (Hons) University of Moratuwa

No responses yet