我的书签
添加书签
移除书签opa
The JSON below shows the data sent to the OPA service by APISIX:
Each of these keys are explained below:
typeindicates the request type (httporstream).requestis used when thetypeishttpand contains the basic request information (URL, headers etc).varcontains the basic information about the requested connection (IP, port, request timestamp etc).route,serviceandconsumercontains the same data as stored in APISIX and are only sent if theopaPlugin is configured on these objects.
The JSON below shows the response from the OPA service to APISIX:
{"result": {"allow": true,"reason": "test","headers": {"an": "header"},"status_code": 401}}
The keys in the response are explained below:
allowis indispensable and indicates whether the request is allowed to be forwarded through APISIX.reason,headers, andstatus_codeare optional and are only returned when you configure a custom response. See the next section use cases for this.
First, you need to launch the Open Policy Agent environment:
docker run -d --name opa -p 8181:8181 openpolicyagent/opa:0.35.0 run -s
curl -X PUT '127.0.0.1:8181/v1/policies/example1' \-H 'Content-Type: text/plain' \-d 'package example1import input.requestdefault allow = falseallow {# HTTP method must GETrequest.method == "GET"}'
Then, you can configure the opa Plugin on a specific Route:
curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/r1' \-H 'X-API-KEY: <api-key>' \-H 'Content-Type: application/json' \-d '{"uri": "/*","plugins": {"host": "http://127.0.0.1:8181",}},"upstream": {"nodes": {"httpbin.org:80": 1},"type": "roundrobin"}}'
Now, to test it out:
curl -i -X GET 127.0.0.1:9080/get
Now if we try to make a request to a different endpoint the request will fail:
curl -i -X POST 127.0.0.1:9080/post
HTTP/1.1 403 FORBIDDEN
You can also configure custom responses for more complex scenarios:
curl -X PUT '127.0.0.1:8181/v1/policies/example2' \-H 'Content-Type: text/plain' \-d 'package example2import input.requestdefault allow = falseallow {request.method == "GET"}# custom response body (Accepts a string or an object, the object will respond as JSON format)reason = "test" {not allow}# custom response header (The data of the object can be written in this way)headers = {"Location": "http://example.com/auth"} {not allow}# custom response status codestatus_code = 302 {not allow}'
Now you can test it out by changing the opa Plugin’s policy parameter to example2 and then making a request:
curl -i -X GET 127.0.0.1:9080/get
HTTP/1.1 200 OK
HTTP/1.1 302 FOUNDLocation: http://example.com/authtest
Let’s think about another scenario, when your decision needs to use some APISIX data, such as route, , etc., how should we do it?
If your OPA service needs to make decisions based on APISIX data like Route and Consumer details, you can configure the Plugin to do so.
The example below shows a simple echo policy which will return the data sent by APISIX as it is:
curl -X PUT '127.0.0.1:8181/v1/policies/echo' \-d 'package echoallow = falsereason = input'
Now we can configure the Plugin on the Route to send APISIX data:
curl -X PUT 'http://127.0.0.1:9080/apisix/admin/routes/r1' \-H 'X-API-KEY: <api-key>' \-H 'Content-Type: application/json' \-d '{"uri": "/*","plugins": {"opa": {"host": "http://127.0.0.1:8181","policy": "echo","with_route": true}},"upstream": {"nodes": {"httpbin.org:80": 1},"type": "roundrobin"}}'
Now if you make a request, you can see the data from the Route through the custom response:
curl -X GET 127.0.0.1:9080/get{"type": "http","request": {xxx},"var": {xxx},"route": {xxx}}
curl http://127.0.0.1:2379/apisix/admin/routes/1 -X PUT -d value='{"methods": ["GET"],"uri": "/hello","plugins": {},"upstream": {"type": "roundrobin","nodes": {"127.0.0.1:1980": 1}}
