应用开放策略代理 (OPA) 策略

    The Open Policy Agent (OPA) HTTP middleware applys to incoming Dapr HTTP requests. 这可以用来将可重用的授权策略应用到应用终结点。

    您可以使用 官方 opa playground对策略进行原型设计和实验。 例如,。

    元数据字段规范

    1. apiVersion: dapr.io/v1alpha1
    2. kind: Configuration
    3. metadata:
    4.   name: appconfig
    5. spec:
    6.   httpPipeline:
    7.     handlers:
    8.     - name: my-policy
    9.       type: middleware.http.opa

    输入

    这个中间件提供了一个 HTTPRequest 作为输入。

    HTTPRequest 输入包含所有关于传入HTTP请求的透彻信息,但它的正文除外。

    1. type Input struct {
    2.   request HTTPRequest
    3. }
    5. type HTTPRequest struct {
    6.   // The request method (e.g. GET,POST,etc...)
    7.   method string
    8.   // The raw request path (e.g. "/v2/my-path/")
    9.   path string
    10.   // The path broken down into parts for easy consumption (e.g. ["v2", "my-path"])
    11.   // The raw query string (e.g. "?a=1&b=2")
    12.   raw_query string
    13.   // The query broken down into keys and their values
    14.   query map[string][]string
    15.   // The request headers
    16.   // NOTE: By default, no headers are included. You must specify what headers
    17.   // you want to receive via `spec.metadata.includedHeaders` (see above)
    19.   // The request scheme (e.g. http, https)
    20.   scheme string
    21. }
    22.   method string
    23.   // The raw request path (e.g. "/v2/my-path/")
    24.   path string
    25.   // The path broken down into parts for easy consumption (e.g. ["v2", "my-path"])
    26.   path_parts string[]
    27.   // The raw query string (e.g. "?a=1&b=2")
    28.   raw_query string
    29.   // The query broken down into keys and their values
    30.   query map[string][]string
    31.   // The request headers
    32.   // NOTE: By default, no headers are included. You must specify what headers
    33.   // you want to receive via `spec.metadata.includedHeaders` (see above)
    34.   headers map[string]string
    35.   // The request scheme (e.g. http, https)
    36.   scheme string
    37. }

    等价于:

    1. package http
    4. }

    拒绝请求时,您可以覆盖返回的状态代码。 例如,如果您想退回 401 而不是 403,你可以这样做:

    1. package http
    3. default allow = {
    4.   "allow": false,
    5.   "status_code": 401
    6. }

    你也可以在允许的请求上设置额外的头信息:

    1. package http
    3. default allow = false
    5. allow = { "allow": true, "additional_headers": { "X-JWT-Payload": payload } } {
    6.   not input.path[0] == "forbidden"
    7.   // Where `jwt` is the result of another rule
    8.   payload := base64.encode(json.marshal(jwt.payload))
    9. }
    1. type Result bool
    2. // or
    3. type Result struct {
    4.   // Whether to allow or deny the incoming request
    5.   allow bool
    6.   // Overrides denied response status code; Optional
    7.   status_code int
    8.   // Sets headers on allowed request or denied response; Optional
    9.   additional_headers map[string]string
    10. }

    相关链接