OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

Try out XACML policies with WSO2 Identity Server

WSO2 Identity Server(IS) is rich with entitlement management based functionalities which are implemented adhering to the standards. It provides fine-grained policy based access control via XACML supporting both XACML 2.0 and XACML 3.0 specifications. Going one step further it provides a friendly user interface to define complex XACML policies in a simple way, with a Tryit tool to see the policy impact. This is a great tool not only to see whether the policy behaves exactly as we expected, but also to learn XACML as a newbie. The UI explains itself how it needs to be used and we can just learn playing with it. This is just a note if someone just need to get away with it at once.

Once we start WSO2 IS and go to management console at http://localhost:9443/carbon, the default URL and give credentials user name:'admin' and password: 'admin' we are ready to go.

In Main menu, hit circle 1 and we will be in a page as above. Here we see options to define policies, edit them, select how policies should be combined to give the final decision and also a list of available policies and there status in the system. With link 3, we can import XACML policies as XML files and with link 2 we can define policies via a UI which is easier. Once we hit it, following page will be displayed.
With circle 4 we can enable the policy for testing purposes and with circle 5 policy will be actively participate in decisions make by the PDP(Policy Decision Point).

Here we have few more options to use according to the situation. First advanced view can be used to define complex rules that are having conditions, obligations etc. XML view has been supplied, if we are interested in defining policies writing the XML and then the default simple view to define a simple policy.
Let's give some inputs for the fields as we wish, enable it via circle 4 and have a look at how to try out this policy for intended purpose. For that, hit Tryit link in Main menu as in following figure.

This will allow us to create a request to test the enabled XACML policy. Again we can give the inputs here or use the editor to write it in XML. Once we give the inputs and hit create request it will show us the request in text as follows.

Now if we hit test evaluate this request will be evaluated against the enabled policies and if we evaluate it with PDP the active policies in PDP will decide the response for the request which will be as follows.
So it has been made easier for us to define the XACML policies and also to test them for intended user cases without much trouble. Personally for me this is a great learning tool to understand the XACML policy behaviour.
Hope this will be useful to someone learning the same as me.
You can find a series of XACML2.0 polices at this blog. 
I am hoping to add a series of XACML3.0 polices with my next posts.


  1. If our nation wants to reduce global warming, air pollution and energy instability, we should invest only in the best energy options. Nuclear energy isn't one of them. See the link below for more info.


  2. Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time. Please keep updating servicenow Online course

  3. Hello,
    Nice article… very useful
    thanks for sharing the information.
    servicenow cmdb training

  4. Nice article, interesting to read…
    Thanks for sharing the useful information
    Android Development Training


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

How to send an HTML email in Java (Using Google SMTP Server)

How to convert WSDL to Java