Using OPA for Data Governance
Open Policy Agent may be used as a data governance policy engine with Fybrik via the connector mechanism.
When OPA is used for data governance, it is deployed as a stand-alone service. Policies are defined in rego and uploaded to OPA.
For more details on OPA policies please refer to OPA documentation in particulate to the basics section which explains how a policy is evaluated.
Fybrik Default Policies
Fybrik denys by default any request if no rule is triggered. This behavior can be changed to allow by default by creating the following rule and upload it to OPA using methods described in this page:
package dataapi.authz
rule [{}] { true }
You can also add conditions like
rule[{}] {
// conditions here
}
The verdict allow
will be reached only if the conditions hold, and no other rule has been triggered, e.g. a rule requiring column redaction.
Managing OPA policies
There are several ways to manage policies and data of the OPA service.
One simple approach is to use OPA kube-mgmt and manage Rego policies in Kubernetes Configmap
resources. By default, Fybrik installs OPA with kube-mgmt enabled.
The following two sections show how to use OPA with kube-mgmt.
Warning
Due to size limits you must ensure that each configmap is smaller than 1MB when base64 encoded.
Using a configmap YAML
- Create a configmap with a Rego policy and a
openpolicyagent.org/policy=rego
label in thefybrik-system
namespace:apiVersion: v1 kind: ConfigMap metadata: name: <policy-name> namespace: fybrik-system labels: openpolicyagent.org/policy: rego data: main: | <you rego policy here>
- Apply the configmap:
kubectl apply -f <policy-name>.yaml
- To remove the policy just remove the configmap:
kubectl delete -f <policy-name>.yaml
Using a Rego file
You can use kubectl
to create a configmap from a Rego file. To create a configmap named <policy-name>
from a Rego file in path <policy-name.rego>
:
kubectl create configmap <policy-name> --from-file=main=<policy-name.rego> -n fybrik-system
kubectl label configmap <policy-name> openpolicyagent.org/policy=rego -n fybrik-system
Delete the policy with kubectl delete configmap <policy-name> -n fybrik-system
.
Using opaServer.bootstrapPolicies
field
Another method to upload policies to OPA is to write them as opaServer.bootstrapPolicies
field in values.yaml file used for the Fybrik deployment.
In this approach the policies are uploaded upon OPA startup.
opaServer:
# Bootstrap policies to load upon startup
bootstrapPolicies:
allowSamplePolicy: |-
package dataapi.authz
rule [{}] { true }