Implementing Attribute-Based Access Control (ABAC) Using Open Policy Agent (OPA)
OPA is available for Windows and Linux. In this post we will see the whole process of implementing ABAC using Rego and OPA in Windows. Requirements for this are given below
Requirements
- OPA software
- VSCode
- Postman website - for API testing
- Postman desktop client
Setting up Environment - Downloading required softwares
- OPA software. You can download OPA software by following this link
- Once software is installed we will add this to path for easy access via terminal. To add to path follow this
- Go to system environment
- Click on environment variables --> Path
- Then double click on path-->New-->Then paste the address where opa.exe is saved
- Verify if OPA is successfully added to path by using this
opa version
- Since we have added OPA to path now we have to write the code in Rego. We can use VScode or any other application like notepad++. Here I am using VSCode. Open VS code and create a file named policy.rego Make sure it ends with .rego
- Write a simple policy such that if use is manager allow him else block. For this we will write simple code.
package hr_system default allow = false # Manager allow{ input.user == "manager" }To download complete code of project click here
- Our next step is to test this. There are two ways to test if our policy is working.
1. Using local machine
2. Using postman
We are using postman so that it meets the requirements. - Naviagte to postman website and in the top right click on Signup
- On the left side click on New --> HTTP
- Paste the following code in the termianl to start the server
- Navigate back to the postman dashboard and change the request type GET to POST and use the following address in the field: http://localhost:8181/v1/data/hr_system/allow
- below this field click on raw and select JSON as input. and paste the following JSON code there
Then click on send.
{ "input":{ "role":"manager" } }You will see the error to download the postman desktop agent. Simply download it and install it.
- When you intall the postman desktop agent successfully. Go to VSCode and open a new terminal. Make sure that opa server is always running
- When new terminal paste the following command there. This command uploads the policy to the OPA server so that you do not get empty body response.
url -X PUT --data-binary @policy.rego http://localhost:8181/v1/policies/hr_system
If successful you will see {} in return
Whenever you make changes in policy.rego file you have to rerun the above command to update the policy in OPA Server. Make sure to save the code before running this command else content won't be updated
Navigate back to the postman dashboard and again Send the request
You will get the response saying { "result": true }
If you see such output in the terminal you have successfully added the OPA to path
Writing rego code to manage policy
Setting up for postman
Now you will have something like this. Stop here and navigate back to VScode
In VScode press Ctrl + backtick (the key below ESC key) to open the terminal in VScode. Make sure you are in terminal tab
Starting the server
opa run --server
Hope this post helps. That's all for today. Leave a comment if you need help at any step☺️