Open policy agent built for 3scale.

Not much to see here yet. Just getting started.

• Compile:

go build

• Start the OPA server with the rules in example.rego:

./kiper opa run --server --set=plugins.envoy_ext_authz_grpc.addr=:9191 --set=plugins.envoy_ext_authz_grpc.query=data.envoy.authz.allow --set=decision_logs.console=true --ignore=.* example.rego

• Start Envoy with the given config file that authorizes using the server above:

envoy -c envoy_config.yaml

• The example.rego policy defines a limit of 5 requests per second for the "/abc" path, but each user identified by the "user_id" header can only make 3 requests per second. To test this, you'll need to start a server in 8080 or choose another one, but remember to change it in envoy_config.yaml as well. For testing purposes you can use: python -m http.server 8080. Now make requests to Envoy:
  • curl -v http://localhost:8000/abc -H "user_id:a". Authorized: total (1/5), user_a (1/3), user_b (0/3).
  • curl -v http://localhost:8000/abc -H "user_id:a". Authorized: total (2/5), user_a (2/3), user_b (0/3).
  • curl -v http://localhost:8000/abc -H "user_id:a". Authorized: total (3/5), user_a (3/3), user_b (0/3).
  • curl -v http://localhost:8000/abc -H "user_id:a". Limited: total (3/5), user_a (4/3), user_b (0/3).
  • curl -v http://localhost:8000/abc -H "user_id:b". Authorized: total (4/5), user_a (3/3), user_b (1/3).
  • curl -v http://localhost:8000/abc -H "user_id:b". Authorized: total (5/5), user_a (3/3), user_b (2/3).
  • curl -v http://localhost:8000/abc -H "user_id:b": Limited: total (6/5), user_a (3/3), user_b (3/3).

By default, the limits are stored in memory. You can use Redis if you need to share the limits between several instances or need to persist them. Simply set the REDIS_URL env. It accepts a URL with this format: redis://host:port/db (db is optional).