how to preload policy data from an external endpoint during OPA initialization

[be-a-bee]

Hi,

We are trying to preload policy data from an external endpoint during OPA initialization so that it can be used during the evaluation of policies. How can we do this?

Details:

We want to use OPA Envoy as a sidecar to enforce authorization of incoming requests to microservices in our cluster. Every microservice would expose a swagger endpoint which would provide the endpoint-privilege needed mapping.

Using this endpoint-privilege mapping, OPA would evaluate whether an incoming request can be allowed access or not. The incoming request would be matched with one of the entries in path-privilege map, and thus OPA would know which privilege needs to be checked in the user's token.

Now, I see that writing an OPA plugin could help us invoke the localhost/service/swagger.yaml file and parse it to derive the endpoint-privilege mapping.

Are there any other alternatives to ensure that this swagger data is preloaded by the time OPA receives any requests for policy evaluation?

I can think of using another sidecar which hits the swagger, parses it and pushes the endpoint-privilege mapping to OPA . This we could do in a java application.

Are there any simpler alternatives - can we do this stuff in OPA policy itself without compromising performance ?

[srenatus]

can we do this stuff in OPA policy itself without compromising performance ?

You could query the data at policy evaluation time using http.send. With proper caching in place, subsequent requests would use the cached swagger response instead of doing another call, for as long as the cached data is valid. See the docs for details.