Skip to content

Latest commit

 

History

History
162 lines (138 loc) · 6.82 KB

README.md

File metadata and controls

162 lines (138 loc) · 6.82 KB

opa-embed

Run Tests Open Policy Agent Testing

How to use Role-based access control (RBAC) with the Open Policy Agent. See the reference guide.

Integrating with the Go API

Create RBAC policy

package rbac.authz

# user-role assignments
group_roles := {
	"design_group_kpi_editor": ["kpi_editor_design", "viewer_limit_ds"],
	"system_group_kpi_editor": ["kpi_editor_system", "viewer_limit_ds"],
	"manufacture_group_kpi_editor": ["kpi_editor_manufacture", "viewer"],
	"project_leader": ["viewer_limit_ds", "viewer_limit_m"],
}

# role-permissions assignments
role_permissions := {
	"admin": [
		{"action": "view_all", "object": "design"},
		{"action": "edit", "object": "design"},
		{"action": "view_all", "object": "system"},
		{"action": "edit", "object": "system"},
		{"action": "view_all", "object": "manufacture"},
		{"action": "edit", "object": "manufacture"},
	],
	"quality_head_design": [
		{"action": "view_all", "object": "design"},
		{"action": "edit", "object": "design"},
		{"action": "view_all", "object": "system"},
		{"action": "view_all", "object": "manufacture"},
	],
	"quality_head_system": [
		{"action": "view_all", "object": "design"},
		{"action": "view_all", "object": "system"},
		{"action": "edit", "object": "system"},
		{"action": "view_all", "object": "manufacture"},
	],
	"quality_head_manufacture": [
		{"action": "view_all", "object": "design"},
		{"action": "view_all", "object": "system"},
		{"action": "view_all", "object": "manufacture"},
		{"action": "edit", "object": "manufacture"},
	],
	"kpi_editor_design": [
		{"action": "view_all", "object": "design"},
		{"action": "edit", "object": "design"},
	],
	"kpi_editor_system": [
		{"action": "view_all", "object": "system"},
		{"action": "edit", "object": "system"},
	],
	"kpi_editor_manufacture": [
		{"action": "view_all", "object": "manufacture"},
		{"action": "edit", "object": "manufacture"},
	],
	"viewer": [
		{"action": "view_all", "object": "design"},
		{"action": "view_all", "object": "system"},
		{"action": "view_all", "object": "manufacture"},
	],
	"viewer_limit_ds": [
		{"action": "view_all", "object": "design"},
		{"action": "view_all", "object": "system"},
	],
	"viewer_limit_m": [{"action": "view_l3_project", "object": "manufacture"}],
}

# logic that implements RBAC.
default allow = false

allow {
	# lookup the list of roles for the user
	roles := group_roles[input.user[_]]

	# for each role in that list
	r := roles[_]

	# lookup the permissions list for role r
	permissions := role_permissions[r]

	# for each permission
	p := permissions[_]

	# check if the permission granted to r matches the user's request
	p == {"action": input.action, "object": input.object}
}

Write Testing

Please download OPA Binary first.

package rbac.authz

test_design_group_kpi_editor {
	allow with input as {"user": ["design_group_kpi_editor"], "action": "view_all", "object": "design"}
	allow with input as {"user": ["design_group_kpi_editor"], "action": "edit", "object": "design"}
	allow with input as {"user": ["design_group_kpi_editor"], "action": "view_all", "object": "system"}
	not allow with input as {"user": ["design_group_kpi_editor"], "action": "edit", "object": "system"}
	not allow with input as {"user": ["design_group_kpi_editor"], "action": "view_all", "object": "manufacture"}
	not allow with input as {"user": ["design_group_kpi_editor"], "action": "edit", "object": "manufacture"}
}

test_system_group_kpi_editor {
	allow with input as {"user": ["system_group_kpi_editor"], "action": "view_all", "object": "design"}
	not allow with input as {"user": ["system_group_kpi_editor"], "action": "edit", "object": "design"}
	allow with input as {"user": ["system_group_kpi_editor"], "action": "view_all", "object": "system"}
	allow with input as {"user": ["system_group_kpi_editor"], "action": "edit", "object": "system"}
	not allow with input as {"user": ["system_group_kpi_editor"], "action": "view_all", "object": "manufacture"}
	not allow with input as {"user": ["system_group_kpi_editor"], "action": "edit", "object": "manufacture"}
}

test_manufacture_group_kpi_editor {
	allow with input as {"user": ["manufacture_group_kpi_editor"], "action": "view_all", "object": "design"}
	not allow with input as {"user": ["manufacture_group_kpi_editor"], "action": "edit", "object": "design"}
	allow with input as {"user": ["manufacture_group_kpi_editor"], "action": "view_all", "object": "system"}
	not allow with input as {"user": ["manufacture_group_kpi_editor"], "action": "edit", "object": "system"}
	allow with input as {"user": ["manufacture_group_kpi_editor"], "action": "view_all", "object": "manufacture"}
	allow with input as {"user": ["manufacture_group_kpi_editor"], "action": "edit", "object": "manufacture"}
}

test_project_leader {
	allow with input as {"user": ["project_leader"], "action": "view_all", "object": "design"}
	not allow with input as {"user": ["project_leader"], "action": "edit", "object": "design"}
	allow with input as {"user": ["project_leader"], "action": "view_all", "object": "system"}
	not allow with input as {"user": ["project_leader"], "action": "edit", "object": "system"}
	not allow with input as {"user": ["project_leader"], "action": "view_all", "object": "manufacture"}
	not allow with input as {"user": ["project_leader"], "action": "edit", "object": "manufacture"}
	allow with input as {"user": ["project_leader"], "action": "view_l3_project", "object": "manufacture"}
}

test_design_group_kpi_editor_and_system_group_kpi_editor {
	allow with input as {"user": ["design_group_kpi_editor", "system_group_kpi_editor"], "action": "edit", "object": "design"}
	allow with input as {"user": ["design_group_kpi_editor", "system_group_kpi_editor"], "action": "edit", "object": "system"}
}

run test command:

$ opa test -v *.rego
data.rbac.authz.test_design_group_kpi_editor: PASS (8.604833ms)
data.rbac.authz.test_system_group_kpi_editor: PASS (7.260166ms)
data.rbac.authz.test_manufacture_group_kpi_editor: PASS (2.217125ms)
data.rbac.authz.test_project_leader: PASS (1.823833ms)
data.rbac.authz.test_design_group_kpi_editor_and_system_group_kpi_editor: PASS (1.150791ms)
--------------------------------------------------------------------------------
PASS: 5/5