The document discusses using Open Policy Agent (OPA) for microservice application authorization. It describes the new authorization challenges of moving from monoliths to microservices, and how OPA can be used to enforce consistent authorization policies across microservices through a service mesh. It provides examples of how OPA policies can be used for user authorization, service authorization, and context-aware authorization.

1. Copyright ©2021 Styra, Inc. | All Rights Reserved
Creators of Open Policy Agent
Microservice Application Authorization
with Open Policy Agent
Tim Hinrichs
CTO, co-founder Styra
co-creator OPA
@tlhinrichs

2. Copyright ©2021 Styra, Inc. | All Rights Reserved
Monolith to Microservices Present New Challenges
MONOLITH MICROSERVICES
Frontend
Backend
Database
Impact on Security/Compliance/Operations
● 10x APIs Microservices means many internal APIs, which need protection from attack/misuse
● 10x Users Both people and machines are using those APIs and need to be granted access
● 10x Components New services, new teams, and new technology appear routinely
● Few distinct
components,
teams and
technologies
● Infrequent
releases
● Siloed roles
(dev and
ops)
● Many distinct
components,
teams and
technologies
● Automated
build/test/release
● Hybrid roles
(Devops)

3. Copyright ©2021 Styra, Inc. | All Rights Reserved
Authorization Mitigates Security/Compliance/Operational Concerns
Can Alice see the list of
outgoing payments?
Service A
Service B
Service C
Can service A ask for Alice’s
profile on behalf of Alice?
Can service A ask for Hooli’s outgoing
payments on behalf of Alice?
On every API call, every microservice makes an authorization decision
User
authorization
Service
authorization

4. Copyright ©2021 Styra, Inc. | All Rights Reserved
Application Authorization: Responsibilities and Use Cases
Roles
Store roles /
policy for
each tenant
DB
Enforce data authz
queries, rows, cols
Store attributes
needed for
authorization (e.g.
resource
ownership)
Gateway
Frontend
Render GUI based
on the user’s
permissions.
Help admins
configure tenant
policy / roles
Enforce
authorization
● east-west
● egress data
Backend
Enforce API
authorization

5. Copyright ©2021 Styra, Inc. | All Rights Reserved
Architectural Choices (Pick 1 or more)
Benefits
● Availability and Perf
● Control for app dev
Drawbacks
● Repeated work
● Inconsistent policies
● Inconsistent enforcement
● Slow security reviews
● No hot-patching
● Inconsistent logging
MS
Authz
HARDCODED
MS
Authz
MS
Authz
CENTRALIZED SERVICE
MS
Benefits
● No repeated work
● Consistent policies
● Fast security reviews
● Hot-patching
Drawbacks
● Inconsistent enforcement
● Availability and perf
● Modify services
● Dependency on Authz
MS Authz
DISTRIBUTED SERVICE
Benefits
● No repeated work
● Consistent policies
● Fast security reviews
● Hot-patching
● Availability and perf
Drawbacks
● Inconsistent enforcement
● Modify services
● Dependency on
distributed Authz
MS Authz
SERVICE MESH
Benefits
● No repeated work
● Consistent policies
● Fast security reviews
● Hot-patching
● Availability and perf
● Consistent enforcement
● No service modification
Drawbacks
● Deploy mesh
● Dependency on
distributed Authz
MS Authz
MS Authz

6. Copyright ©2021 Styra, Inc. | All Rights Reserved
Service Mesh with OPA for Authorization
Open Policy Agent
Network Proxy
2. Authz
query
3. Authz
decision
4. Request
5. Response
1. Request
6. Response
Microservice

7. Copyright ©2021 Styra, Inc. | All Rights Reserved
OPA Policy Examples
# service attributes in header
allow {
input.method == “GET”
input.path == “/pets”
input.header.source == “A”
input.header.dest == “B”
}
# replicated ldap for employees
allow {
some i
data.ldap[input.user].role[i] == “admin”
}
# app calls OPA directly & overloads input
allow {
some i
input.user.role[i] == “manager”
}
A B
DB
A B
# user attributes in authN token
allow {
input.method == “GET”
input.path == “/pets”
input.token.claim == “customer”
}
App
Note: examples simplified for illustration
Service authorization User authorization Context-aware authorization

8. Copyright ©2021 Styra, Inc. | All Rights Reserved
OPA Applied to Backend Microservices
Can Alice see the list of
outgoing payments?
Service A
Service B
Service C
Can service A ask for Alice’s
profile on behalf of Alice?
Can service A ask for Hooli’s outgoing
payments on behalf of Alice?
On every API call, every microservice makes an authorization decision

9. Copyright ©2021 Styra, Inc. | All Rights Reserved
OPA Applied to Microservice Authorization
Roles
Store roles /
policy for
each tenant
DB
Enforce data authz
queries, rows, cols
Store attributes
needed for
authorization (e.g.
resource
ownership)
Gateway
Frontend
Render GUI based
on the user’s
permissions.
Help admins
configure tenant
policy / roles
Enforce
authorization
● east-west
● egress data
Backend
Enforce API
authorization

10. Copyright ©2021 Styra, Inc. | All Rights Reserved
OPA Applied to Cloud-native Policy
Linux
Tekton
Github Actions
CICD
Container Management
Microservices / Apps
Databases
Public Cloud
Servers
Platform
App
CICD Pipeline
1 2 3 4
Gateway
Frontend
Backend
DB
App

11. Copyright ©2021 Styra, Inc. | All Rights Reserved
Open Policy Agent: General-purpose Policy Engine
Service
OP
A
Policy
(Rego)
Data
(JSON)
Request
Policy
Decision
Policy
Query
Input can be ANY JSON value Output can be ANY JSON value
OPA makes decisions.
Service enforces decisions.
Linux

12. Copyright ©2021 Styra, Inc. | All Rights Reserved
Open Policy Agent Community
Open Policy Agent (OPA)
Cloud-native policy engine
Contributors: 30+
companies, 150+ devs
Founded by Styra (2016) / Sandbox (2018) / Incubating (2019) / Graduated (2021)
GitHub Stars
5000
Downloads
80M
Slack Users
4000
Sessions at KubeCon US 2019
● Yelp - How Yelp moved security from the app to the
mesh
● Google - Enforcing service mesh structure using OPA
● Goldman Sachs - K8s policy enforcement using OPA at
Goldman Sachs
● Snyk - Applying policy throughout the app lifecycle with
OPA
● Reddit - Kubernetes at Reddit: Tales from Production
● Adobe - What Makes A Good Multi Tenant Kubernetes
Solution
● Giant Swarm - Using OPA for complex CRD Validation
and Defaulting
OPA Summit at KubeCon US 2019
● Capital One - Open Policy Agent for Policy-enabled
Kubernetes and CICD
● Chef - Open Policy Agent in Practice: From Angular to
OPA in Chef Automate
● Pinterest - Open Policy Agent at Scale: How Pinterest
Manages Policy Distribution
● Tripadvisor - Building a Testing Framework for
Integrating Open Policy Agent into Kubernetes
● Atlassian - Deploying Open Policy Agent at Atlassian
Sessions at Virtual KubeCon EU 2020
● AquaSecurity: Handling Container Vulnerabilities with
Open Policy Agent
● ABN AMRO: How ABN AMRO Switched Cloud
Providers Without Anyone Noticing
● Medudoc: Securing Your Healthcare Data with OPA
Other events or public confirmation of using OPA: Bank of New
York Mellon, AWS, Synemedia, Pure Storage, VMware, Netflix,
Daimler, T-Mobile, Salesforce
Vendor-neutral open-source Growing Community Active End-users

13. Copyright ©2021 Styra, Inc. | All Rights Reserved
Managing Open Policy Agent
Linux
Tekton
Github Actions
CICD
Container Management
Microservices / Apps
Databases
Public Cloud
Servers
OPA Management
● 10s, 100s, 1000s of OPAs
● Integrations management
● Policy lifecycle management
● Team-based governance
● Single pane of glass

14. Copyright ©2021 Styra, Inc. | All Rights Reserved
Styra DAS: An OPA Management Plane for the Enterprise
Linux
Tekton
Github Actions
CICD
Container Management
Microservices / Apps
Databases
Public Cloud
Servers
Declarative
Authorization
Service
● Curated integrations
● Policy lifecycle management
● Enterprise-grade governance

15. Copyright ©2021 Styra, Inc. | All Rights Reserved
Creators of Open Policy Agent
Open Policy Agent
openpolicyagent.org
@openpolicyagent
Styra
styra.com
@styrainc
Tim Hinrichs
CTO, co-founder Styra
co-creator OPA
@tlhinrichs