An open source, general-purpose policy engine.
Alternatives To Opa
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Opa8,0678227919 hours ago564September 07, 2022312apache-2.0Go
An open source, general-purpose policy engine.
3 years ago10JavaScript
Purescript Simple Json129
41a year agoMarch 08, 20185mitPureScript
A simple Purescript JSON library that uses types automatically
Keynote Extractor31
5 years agomitAppleScript
🎁 Extract Keynote presentations to JSON and Markdown using a simple script.
8 months agomitJavaScript
A slider in its purest form.
Json Api Example24
8 years agoRuby
JSON API example presented at Boston Ember on July 9, 2015.
Networking With Rest Api Calls And Urlsession Unit Tests And Data Persistence In Core Data19
5 months agomitSwift
Networking in Swift with REST API calls and URLSession, that puts the parsed JSON Data from an HTTP based JSON storage endpoint I created into a TableView and persists the data using Core Data with CRUD (create, read, update, and delete). I used also Unit Tests to test URLSession asynchronous network operations and make the project as robust as possible. When the JSON data is parsed into the dynamic TableView cell we can easily delete the cell with a swipe, the TableView will then reload itself with a custom made animation and Core Data will update and save the changes in realtime. There is also an option to send HTTP GET requests to the JSONPlaceholder server. A And last but not least I implemented a settings launcher slide-up menu that slides up from the bottom of the screen when the settings tab bar button is pressed. On the slide-up menu, we have all the functionalities I mentioned above like getting the data from the REST API, filtering the data in the cells using a search bar and sorting them in the right alphabetical order, and also send data to a REST API.
Mithril Slides18
5 years ago5otherHTML
A Keynote-inspired presentation app written with Mithril
4 years agomitJavaScript
Tom Marrs' speaking engagement materials and slides.
9 years ago1JavaScript
Seamless photo gallery on desktop and mobile.
Alternatives To Opa
Select To Compare

Alternative Project Comparisons

logo Open Policy Agent

Slack Status Build Status Go Report Card CII Best Practices Netlify Status

The Open Policy Agent (OPA) is an open source, general-purpose policy engine that enables unified, context-aware policy enforcement across the entire stack.

OPA is hosted by the Cloud Native Computing Foundation (CNCF) as an incubating-level project. If you are an organization that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details read the CNCF announcement.

Want to learn more about OPA?

Want to get OPA?

Want to integrate OPA?

  • See GoDoc to integrate OPA with services written in Go.
  • See REST API to integrate OPA with services written in other languages.

Want to contribute to OPA?

How does OPA work?

OPA gives you a high-level declarative language to author and enforce policies across your stack.

With OPA, you define rules that govern how your system should behave. These rules exist to answer questions like:

  • Can user X call operation Y on resource Z?
  • What clusters should workload W be deployed to?
  • What tags must be set on resource R before it's created?

You integrate services with OPA so that these kinds of policy decisions do not have to be hardcoded in your service. Services integrate with OPA by executing queries when policy decisions are needed.

When you query OPA for a policy decision, OPA evaluates the rules and data (which you give it) to produce an answer. The policy decision is sent back as the result of the query.

For example, in a simple API authorization use case:

  • You write rules that allow (or deny) access to your service APIs.
  • Your service queries OPA when it receives API requests.
  • OPA returns allow (or deny) decisions to your service.
  • Your service enforces the decisions by accepting or rejecting requests accordingly.

The examples below show different kinds of policies you can define with OPA as well as different kinds of queries your system can execute against OPA. The example queries are executed inside OPA's REPL which was built to make it easy to develop and test policies.

For concrete examples of how to integrate OPA with systems like Kubernetes, Terraform, Docker, SSH, and more, see openpolicyagent.org.

Example: API Authorization

This example shows how you can enforce access controls over salary information served by a simple HTTP API. In this example, users are allowed to access their own salary as well as the salary of anyone who reports to them.

The management chain is represented in JSON and stored in a file (data.json):

    "management_chain": {
        "bob": [
        "alice": [

Start OPA and load the data.json file:

opa run data.json

Inside the REPL you can define rules and execute queries. Paste the following rules into the REPL.

default allow = false

allow {
    input.method = "GET"
    input.path = ["salary", id]
    input.user_id = id

allow {
    input.method = "GET"
    input.path = ["salary", id]
    managers = data.management_chain[id]
    input.user_id = managers[_]

Example Queries

Is someone allowed to access their own salary?

> input := {"method": "GET", "path": ["salary", "bob"], "user_id": "bob"}
> allow

Display the management chain for Bob:

> data.management_chain["bob"]

Is Alice allowed to access Bob's salary?

> input := {"method": "GET", "path": ["salary", "bob"], "user_id": "alice"}
> allow

Is Janet allowed to access Bob's salary?

> input := {"method": "GET", "path": ["salary", "bob"], "user_id": "janet"}
> allow

Example: App Placement

This example shows how you can enforce where apps are deployed inside a simple orchestrator. In this example, apps must be deployed onto clusters that satisfy PCI and jurisdiction requirements.

app_placement[cluster_id] {
    cluster = data.clusters[cluster_id]
    satisfies_jurisdiction(input.app, cluster)
    satisfies_pci(input.app, cluster)

satisfies_jurisdiction(app, cluster) {
    not app.tags["requires-eu"]

satisfies_jurisdiction(app, cluster) {
    startswith(cluster.region, "eu-")

satisfies_pci(app, cluster) {
    not app.tags["requires-pci-level"]

satisfies_pci(app, cluster) {
    level = to_number(app.tags["requires-pci-level"])
    level >= cluster.tags["pci-level"]

Example Queries

Where will this app be deployed?

> input := {"app": {"tags": {"requires-pci-level": "3", "requires-eu": "true"}}}
> app_placement

Display clusters in EU region:

> startswith(data.clusters[cluster_id].region, "eu-")
| cluster_id |
| "prod-eu"  |
| "test-eu"  |

Display all clusters:

> data.clusters[cluster_id]
| cluster_id |           data.clusters[cluster_id]            |
| "prod-eu"  | {"region":"eu-central","tags":{"pci-level":2}} |
| "prod-us"  | {"region":"us-east"}                           |
| "test-eu"  | {"region":"eu-west","tags":{"pci-level":4}}    |
| "test-us"  | {"region":"us-west"}                           |

Example: SSH Auditing

This example shows how you can audit who has SSH access to hosts within different clusters. We will assume that SSH access is granted via group access in LDAP.

import data.ldap
import data.clusters

ssh_access[[cluster_name, host_id, user_id]] {
    host_id = clusters[cluster_name].hosts[_]
    group_id = ldap.users[user_id].groups[_]
    group_id = clusters[cluster_name].groups[_]

prod_users = {user_id | ssh_access[["prod", _, user_id]]}

Example Queries

Who can access production hosts?

> prod_users

Display all LDAP users:

> data.ldap.users[user_id]
|   data.ldap.users[user_id]    | user_id |
| {"groups":["dev","platform"]} | "alice" |
| {"groups":["dev","ops"]}      | "bob"   |
| {"groups":["dev"]}            | "janet" |

Display all cluster/group pairs:

> data.clusters[cluster_id].groups[_] = group_id
| cluster_id |  group_id  |
| "test"     | "dev"      |
| "test"     | "ops"      |
| "prod"     | "ops"      |
| "prod"     | "platform" |

Does Janet have access to the test cluster?

> ssh_access[["test", _, "janet"]]

What are the addresses of the hosts in the test cluster that Janet can access?

> ssh_access[["test", host_id, "janet"]]; addr = data.hosts[host_id].addr
|    addr    |  host_id   |
| "" | "host-abc" |
| "" | "host-cde" |
| "" | "host-efg" |

Further Reading


  • Open Policy Agent Introduction @ CloudNativeCon EU 2018: video, slides
  • Rego Deep Dive @ CloudNativeCon EU 2018: video, slides
  • How Netflix Is Solving Authorization Across Their Cloud @ CloudNativeCon US 2017: video, slides.
  • Policy-based Resource Placement in Kubernetes Federation @ LinuxCon Beijing 2017: slides, screencast.
  • Enforcing Bespoke Policies In Kubernetes @ KubeCon US 2017: video, slides.
  • Istio's Mixer: Policy Enforcement with Custom Adapters @ CloudNativeCon US 2017: video, slides.


Security Audit

A third party security audit was performed by Cure53, you can see the full report here

Reporting Security Vulnerabilities

Please report vulnerabilities by email to open-policy-agent-security. We will send a confirmation message to acknowledge that we have received the report and then we will send additional messages to follow up once the issue has been investigated.

Popular Json Projects
Popular Slides Projects
Popular Data Formats Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Cloud Native