aboutsummaryrefslogtreecommitdiffstats
path: root/docs/opa/OPA-introduction.rst
blob: ff1c38756d11b94229c1f345606829b3270b6bb1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
.. This work is licensed under a Creative Commons Attribution 4.0 International License.

Introduction to OPA
***************************

.. contents::
    :depth: 3

1. Introduction to OPA
^^^^^^^^^^^^^^^^^^^^^^

      .. container:: sectionbody

         .. container:: paragraph

            `Open Policy Agent (OPA) <https://www.openpolicyagent.org/docs/latest/>`__ is an open-source, general-purpose policy engine that unifies policy enforcement across the stack.
            It allows you to decouple policy decisions from your service's code, making it easier to manage and maintain policies.
            The integration of Open Policy Agent (OPA) as a Policy Decision Point (PDP) within the Open Network Automation Platform (ONAP) enhances the platform's policy management capabilities.
            OPA provides a flexible and scalable solution for enforcing policies across various components of ONAP.

         .. container:: imageblock

            .. container:: content

               |OPA Overview|

            .. container:: title

               Figure 1. OPA Overview

2. Key Benefits
^^^^^^^^^^^^^^^

      .. container:: sectionbody

         .. container:: paragraph

            - **Unified Policy Enforcement**: OPA allows for consistent policy enforcement across different ONAP modules, ensuring that policies are applied uniformly.
            - **Declarative Policy Language**: Policies are written in Rego, a high-level declarative language, making them easy to understand and maintain.
            - **Scalability**: OPA's architecture supports horizontal scaling, allowing it to handle large volumes of policy decisions efficiently.

3. Use Cases
^^^^^^^^^^^^

      .. container:: sectionbody

         .. container:: paragraph

            - **Access Control**: Enforcing fine-grained access control policies for ONAP services.
            - **Resource Management**: Applying policies to manage and allocate network resources efficiently.
            - **Compliance**: Ensuring that ONAP operations comply with regulatory and organizational policies.

4. Rego Language
^^^^^^^^^^^^^^^^

      .. container:: sectionbody

         .. container:: paragraph

            `Rego <https://www.openpolicyagent.org/docs/latest/>`__  is a declarative query language used by the Open Policy Agent (OPA) to write policy as code. It is designed to be easy to read and write, focusing on providing powerful support for referencing nested documents and ensuring that queries are correct and unambiguous.Rego is a powerful and flexible language for defining policies in a declarative manner. It is an essential tool for anyone looking to implement policy as code in their applications.

4.1 Rego Key Features
######################

      .. container:: sectionbody

         .. container:: paragraph

            - **Declarative**: Rego allows you to specify what you want to achieve rather than how to achieve it.
            - **JSON Support**: Rego works seamlessly with JSON data, making it ideal for modern applications.
            - **Policy as Code**: Rego enables you to define policies that can be version-controlled and integrated into your CI/CD pipelines.

4.2 Basic Syntax
######################

      .. container:: sectionbody

         .. container:: paragraph

            Rego rules are defined using a simple and intuitive syntax. Here is an example of a basic rule:

         .. container:: codeblock

            .. container:: content

               .. code-block::

                  package example
                  import rego.v1

                  default allow = false

                  allow if {
                      input.user == "alice"
                  }

         .. container:: paragraph

            In this example, the `allow` rule is defined to be true if the `input.user` is "alice".

4.3 Advanced Features
###########################

      .. container:: sectionbody

         .. container:: paragraph

            Rego supports a variety of advanced features, including:

            - **Composite Values**: You can define rules using composite values such as objects and arrays.
            - **Built-in Functions**: Rego provides a rich set of built-in functions for manipulating data.
            - **Modules**: You can organize your policies into reusable modules.

4.4 Example
############

      .. container:: sectionbody

         .. container:: paragraph

            Here is a more complex example that demonstrates some of Rego's capabilities:

         .. container:: codeblock

            .. container:: content

               .. code-block::

                  package example
                  import rego.v1

                  import data.servers

                  default allow = false

                  allow if {
                      input.user == "admin"
                      servers[input.server].owner == input.user
                  }

         .. container:: paragraph

            In this example, the `allow` rule checks if the `input.user` is "admin" and if they own the specified server.

.. container::
   :name: footer

   .. container::
      :name: footer-text

      1.0.0-SNAPSHOT
      Last updated 2025-03-27 16:04:24 IST

.. |OPA Overview| image:: images/opa-service.svg
   :width: 300px
   :height: 200px