There needs to be an example or documentation on securing opa while still allowing pam_authz to function properly.

@kfox1111 this might be a good starting point: https://www.openpolicyagent.org/docs/latest/security/#hardened-configuration-example. WDYT?

Yeah. I implemented something like that for the helm chart. What I'm not sure about is on the pam side. How does one securely configure the pam module to talk securely to opa?

Looks like opa supports unix sockets: open-policy-agent/opa#752

That could be part of the solution if the pam side supports it.

Can you configure the authz module in opa to base auth on unix socket user?

Just glancing at the code, it does not look like it supports unix sockets. but it would be pretty easy to tweak the curl config in http.c to support it:
https://curl.haxx.se/libcurl/c/CURLOPT_UNIX_SOCKET_PATH.html

PR for implementing unix socket support here: #89

Between that PR, and controlling the permissions on the parent directory the socket is in, access to OPA can be restricted to root on the same host.

It works for ssh for sure. For other pam contexts its not clear if the pam module works as the user instead of root which would fail. It would be good if opa in socket mode could read the remote user of the socket (unix sockets support this) and allow authz based on it.

Its also unclear how prometheus metrics can be made to work in this configuration.

open-policy-agent/opa#1975 filed for unix socket peercred support.

Closing for now. Let's create a new issue if there's anything unresolved left here 🧹