Building on top of Open Policy Agent (OPA)
Building authorization with the Open Policy Agent decision engine
Building authorization with the Open Policy Agent decision engine
The Open Policy Agent (OPA) project is a great general-purpose policy engine applied heavily in the infrastructure space. Aserto has extended the use case for the general-purpose decision engine to that of fine-grained application access control.
The OPA decision engine is at the core of Aserto authorizers, which make millisecond access control decisions based on real-time data.
OPA + Aserto = <3
Distribution
Aserto wraps the policy bundle with an Open Container Initiative (OCI) image so that your OPA policies use an image format that has been standardized and embraced by a much broader ecosystem.
Using the OCI standard, we can apply Semantic Versioning as well as standard signing solutions (like Sigstore) to ensure:
- An OCI artifact can have both labels and attributes that are indexable and searchable, which allows for discoverability and sharing.
- Semantic versioning in conjunction with signing allows us to know exactly what policy bundle we are currently running and prevents tampering, strengthening the integrity of our build.
Read more about Open Policy Containers- a docker-like command workflow for securing the software supply chain of your OPA policies.
Synchronization
The use of signed OCI images, as well as the ability to push those images to an authorizer instance running right next to your application, gives you the assurance that you are running the version of a policy that you’re expecting.
Identity
The OPA engine has access to a JSON Web Token (JWT) or Security Assertion Markup Language (SAML) token, but any other piece of identity information it would want to use in authorization decisions would have to be resolved over an HTTP call.
Aserto solves this by bringing the identity information needed to make authorization decisions as close to the engine as possible so that no network calls are made at runtime. A database is hosted in the same container as the decision engine itself and is synchronized and kept up-to-date with a centralized directory. This ensures the decision engine can be autonomous and continue running even when the network might be down.
Resource context
Aserto uses a database that lives close to the decision engine, which is automatically synced with all resource information. This ensures the integrity and lightning-speed of the decision engine by eliminating any network calls and the policy remains a read-only, immutable artifact.
Enforcement
Aserto eliminates the risk of making authorization decisions based on stale data by delivering the user, policy, and resource contexts to the policy decision point in real-time, with 100% availability.
Decision logs
Auditing and tracing is a key component of a production-grade access control system. While OPA provides you with the ability to push decision logs to an HTTP endpoint, it doesn’t help with aggregating and centralizing all the messages. In deployments with multiple decision engine instances, this becomes a real challenge.
What is Aserto?
Aserto is an authorization service that helps developers build secure applications. It makes it easy to add fine-grained, policy-based, real-time access control to applications and APIs. It offers blazing-fast authorization of a local library, coupled with a centralized control plane for managing policies, user attributes, resource and relationship data, and decision logs. And it comes with everything you need to deliver fine-grained RBAC, ABAC, or ReBAC.