OPA for HTTP Authorization

Open Policy Agent[1] is a promising, light weight and very generic policy engine to govern authorization is any type of domain. I found this comparion[2] very attractive in evaluating OPA for a project I am currently working on, where they demonstrate how OPA can cater same functionality defined in RBAC, RBAC with Seperation of Duty, ABAC and XACML.  
Here are the steps to a brief demonstration of OPA used for HTTP API authorization based on the sample [3], taking it another level up.
Running OPA Server First we need to download OPA from [4], based on the operating system we are running on.  For linux, curl -L -o opa https://github.com/open-policy-agent/opa/releases/download/v0.10.3/opa_linux_amd64 Make it executable, chmod 755 ./opa Once done, we can start OPA policy engine as a server.
./opa run --server Define Data and Rules Next we need to load data and authorization rules to the server, so it can make decisions. OPA defines these in files in the format of .rego. Below is a sample …

Why Identity Mediation? And a Language ?

As identified and predicted by several prominent analyst firms(Forrester, Gartner) , acquiring and merging has been the frequent mechanism for enterprises to expand in the recent past and the years to come. With this expansion there is a rising need for enterprises to handle the enterprise across identity and access management procedures in a secured way that is fast enough to have the competitive advantage of the merged or acquired assets. With different enterprises having variety of standards and protocols in use for identity and access management, catering for this requirement is absolutely challenging given the time factor. A similar situation has been addressed by Enterprise Service Bus(ESB) concept few years back, when the requirements raised to mediate between different transport protocols and data formats when communication is required between disparate enterprise systems that are legacy and modern.

We are trying to apply the same concepts around ESB in the arena of identity and access management to provide the basement for an Enterprise Identity Bus(EIB). While the idea of EIB has been discussed frequently in panels with the participation of industry giants and the concept has existed a while, there are limited implementations and research done around the subject. Hence in order to design an elegant solution, we have to go deep down to root levels of mediation language implementations and possible approaches for the mediation engine implementation.

Observing how the identity protocols have been evolving, reaching the glory stages and then getting dead in few years time, the mediation engine needs to be very flexible in its configuration and extensibility where a Domain Specific Language(DSL) is to be defined to cater for. This decision is considered looking at the pros and cons of it and usage of mediation languages in ESBs.

This blog is to provide a platform to discuss and share important findings, thoughts towards the implementation of IML(Identity Mediation Language) and IME(Identity Mediation Engine) together with an approach towards providing a robust solution for the requirement under consideration.


Post a Comment

Popular posts from this blog

Signing SOAP Messages - Generation of Enveloped XML Signatures

How to send an HTML email in Java (Using Google SMTP Server)

How to convert WSDL to Java