yordisprieto

yordisprieto

Authorization and OPA

I am trying to figure out a good architecture and implementation for authZ.

Recently, I discover GitHub - open-policy-agent/opa: Open Policy Agent (OPA) is an open source, general-purpose policy engine. which so far seems amazing for what I need, especially that the policies are not tied couple to my application code.

What do you think?

Would you use this over these packages GitHub - h4cc/awesome-elixir: A curated list of amazingly awesome Elixir and Erlang libraries, resources and shiny things. Updates: ?

Most Liked

a_lixer

a_lixer

:raised_hand: Sibling teammate here!

A caveat: I haven’t had experience with any AuthZ Elixir libraries, so I can’t really compare OPA with them.

My team had a rocky start with OPA, but we have reached a point of comfort and confidence with the policies we are now defining and maintaining.

An obvious downside to using OPA, is that your team will have to learn a new language and structure for thinking about authorization. As someone with a background in imperative languages, I was certainly challenged by the declarative nature of Rego. However, I’m pleased by how clean and concise OPA can be. When done right, policies read very clearly – for example it is easy to see that a user with an administrator role is allowed certain actions in contrast with other user roles.

My team initially structured our authZ policies in a somewhat naive way. Thankfully, when pain points quickly began to arise, we were able to re-think our approach on OPA and discover better practices for defining policies. This required revisiting the (somewhat limited) OPA documentation. I also found this deep dive from KubeCon to be extremely helpful. I highly recommend it. After re-thinking and re-writing our policies, we arrived at a much better state. The false start was somewhat of a blessing in disguise, because it allowed us to see exactly what we didn’t know about OPA and then learn it quickly.

Another thing I’ll mention is testing. I don’t have any specific complaints about OPA tests, except that they aren’t ExUnit! I have become so accustomed to writing tests in ExUnit, that it’s hard to write tests outside of that framework.

Overall, my team has had a positive experience with OPA. Placing authorization policies in a different language forced as to separate our concerns from the rest of our code. I think this helped us make good decisions regarding our code organization. The declarative nature of OPA/Rego makes it very clear to us and to non-developers which types of users have which types of permissions and have access to which types of resources.

shanesveller

shanesveller

One of my sibling teams at work is using OPA as a sidecar to one of our Phoenix/Absinthe services, and write most or all of their business-domain authorization logic using its syntax and testing support and then delegate to that logic from within various Elixir code paths. I’ll reach out and see if any of them care to leave specific comments here about their experiences so far, but they have at least a few months under their belt with this approach.

yordisprieto

yordisprieto

Hey, welcome to the Elixir community!

My team initially structured our authZ policies in a somewhat naive way. Thankfully, when pain points quickly began to arise, we were able to re-think our approach on OPA and discover better practices for defining policies.

Do you have an article about it? I would like to see what were your pain points and avoid them if I can.

Also, how are you dealing with maintaining the policies today?

I can’t find any good practices in from OPA documentation or talks, especially on how to deny access to particular request right away.

Are you using any particular package for integration with OPA? I was about to write some Elixir package for the full integration since it seems that there is no integration at the moment.

a_lixer

a_lixer

Hey, welcome to the Elixir community!

Thank you! :smile:

Do you have an article about it? I would like to see what were your pain points and avoid them if I can.

Unfortunately we haven’t publishing anything yet. I will post a link back here if we do.

Also, how are you dealing with maintaining the policies today?

So far we haven’t needed to do too much maintenance. After the re-write, our rules became granular and decoupled from each other. We are still actively developing the product, and as we define new user actions, it has been easy to add new policies without having to make changes to the existing ones.

I can’t find any good practices in from OPA documentation or talks, especially on how to deny access to particular request right away.

I wish there was more documentation, too! But I can help you with that.

Here’s an example from the online doc:

# allow bob to perform read-only operations.
allow {
    user == "bob"
    method == "GET"
}

This could alternatively be written as:

# allow bob to perform read-only operations.
allow = true {
    user == "bob"
    method == "GET"
}

So if you wanted to explicitly deny an operation, you could do something like:

# disallow eve from performing read-only operations.
allow = false {
    user == "eve"
    method == "GET"
}

Are you using any particular package for integration with OPA?

Not at the moment. We wrote some Plugs to distill a web request into user and resource fields, and then another Plug to send the document to OPA for an “allow” rule check. It is fairly simple, but it has been working pretty well for what we need.

yordisprieto

yordisprieto

Where Next?

Popular in Discussions Top

JakeBecker
TL;DR: I’ve just released an implementation of Microsoft’s IDE-independent Language Server Protocol for Elixir. It adds language support ...
1140 51847 244
New
adamu
When starting a new project, do you have any go-to libraries you pull in out of habit/preference? For example, Ash, Credo, Mox, ExMachin...
New
ivanminutillo
Bonfire is an open source framework for building modular federated digital spaces. It’s built entirely with Elixir, including LiveView (a...
New
AstonJ
@Garrison’s comment in another thread reminded me of this post by Joe: With the big five exerting more control than ever, new (AI) play...
New
arcanemachine
Just wondering what the community currently thinks, prefers, and/or recommends for working with UI components. (e.g. daisyUI, MishkaChele...
New
James_E
I see that the current ExUnit source code has support for rich failure messages on a small whitelist of “recognized” assertion patterns, ...
New
AstonJ
A remark @Garrison made… ..has already inspired a thread for the technical side of reclaiming our internet, but there is of course anot...
New
karlosmid
The |> operator appears in many languages, mostly in the functional world. F# has essentially the exact same operator, as does OCaml. ...
New
isaacsanders
When I try to run my applications and I haven’t updated the dependencies, the output tells me to run mix deps.get. Why doesn’t the binar...
New
AstonJ
Inspired by Andrew’s post in another thread about types: If the main benefit of static typing is to catch errors, and most people think...
New

Other popular topics Top

sorentwo
Hello! tl;dr Announcing Oban, an Ecto based job processing library with a focus on reliability and historical observability. After spen...
977 41022 311
New
sergio
I couldn’t find any guides that worked well with Phoenix 1.6.0 and esbuild. I hope this helps people test the waters and eases you into t...
New
sergio_101
I am VERY much an elixir newbie. I have taken one elixir course and one phoenix course on Udemy. During that course, I saw the instructor...
New
fireproofsocks
I’m working on defining a simple Ecto schema for a table (in PostGres), but I don’t see where I can define a column as NOT NULL. Conside...
New
polypush135
As many of you may have realized by now (sorry for all the posts here) I’ve been working on a db problem where I’m trying to aggregate a ...
New
aadeshere1
I have a another noob question about loop. Since elixir is immutable, while loop is not directly possible. total = 10 while total != 0 ...
New
vonH
When I run the Plug and I recompile I wind up having to use Ctrl C to quit iex and start again. Witht the help of rlwrap I can use the cu...
New
WestKeys
Currently suffering from paralysis by [HTTP client] analysis. This is rather unusual in Elixirland as there tends to be consensus on the ...
New
romenigld
I am trying to run a deploy with docker and I successfully runned with this command: docker build -t romenigld/blog-prod . but when I t...
New
aesmail
Hello guys, I have finally made it. I created an admin interface for a framework. It’s been on my todo list for years and with the curre...
New

We're in Beta

About us Mission Statement