mirror of https://github.com/istio/istio.io.git
91 lines
2.2 KiB
HTML
91 lines
2.2 KiB
HTML
---
|
|
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE https://github.com/istio/istio REPO
|
|
source_repo: https://github.com/istio/istio
|
|
title: OPA
|
|
description: Adapter that implements an Open Policy Agent engine.
|
|
location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa.html
|
|
layout: protoc-gen-docs
|
|
generator: protoc-gen-docs
|
|
supported_templates: authorization
|
|
aliases:
|
|
- /docs/reference/config/adapters/opa.html
|
|
number_of_entries: 1
|
|
---
|
|
<p>The <code>opa</code> adapter exposes an <a href="http://www.openpolicyagent.org">Open Policy Agent</a> engine
|
|
that provides sophisticated access control mechanisms.</p>
|
|
|
|
<p>This adapter supports the <a href="/docs/reference/config/policy-and-telemetry/templates/authorization/">authorization template</a>.</p>
|
|
|
|
<h2 id="Params">Params</h2>
|
|
<section>
|
|
<p>Configuration format for the <code>opa</code> adapter.</p>
|
|
|
|
<p>Example configuration:</p>
|
|
|
|
<pre><code class="language-yaml">policy:
|
|
- |+
|
|
package mixerauthz
|
|
policy = [
|
|
{
|
|
"rule": {
|
|
"verbs": [
|
|
"storage.buckets.get"
|
|
],
|
|
"users": [
|
|
"bucket-admins"
|
|
]
|
|
}
|
|
}
|
|
]
|
|
|
|
default allow = false
|
|
|
|
allow = true {
|
|
rule = policy[_].rule
|
|
input.subject.user = rule.users[_]
|
|
input.action.method = rule.verbs[_]
|
|
}
|
|
checkMethod: "data.mixerauthz.allow"
|
|
failClose: true
|
|
</code></pre>
|
|
|
|
<table class="message-fields">
|
|
<thead>
|
|
<tr>
|
|
<th>Field</th>
|
|
<th>Type</th>
|
|
<th>Description</th>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr id="Params-policy">
|
|
<td><code>policy</code></td>
|
|
<td><code>string[]</code></td>
|
|
<td>
|
|
<p>List of OPA policies</p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Params-check_method">
|
|
<td><code>checkMethod</code></td>
|
|
<td><code>string</code></td>
|
|
<td>
|
|
<p>Query method to check.
|
|
Format: data.<package name>.<method name></p>
|
|
|
|
</td>
|
|
</tr>
|
|
<tr id="Params-fail_close">
|
|
<td><code>failClose</code></td>
|
|
<td><code>bool</code></td>
|
|
<td>
|
|
<p>Close the client request when adapter has a issue.
|
|
If failClose is set to true and there is a runtime error,
|
|
instead of disabling the adapter, close the client request</p>
|
|
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</section>
|