OPA policies are expressed in a high-level declarative language called Rego. Rego (pronounced “ray-go”) is purpose-built for expressing policies over complex hierarchical data structures.
We process an input JSON document using Rego. This is arbitrary JSON.
{ "name": "Curtis", "role": "admin" }OPA generates policy decisions by evaluating the query input and against policies and data.
package example
allow = true { # allow is true if...
input.role == "admin" # the user is an admin
}A simple "allow" policy for users in Rego.
package example
default allow = false # by default, don't allow anyone
allow = true { # allow is true if...
input.role == "admin" # the user is an admin
}
curtis = { "name": "Curtis", "role": "admin" }
josh = { "name": "Josh", "role": "foo" }Try it out using the OPA REPL:
opa run example.rego> import data.example
> example.allow with input as example.curtis
true
> example.allow with input as example.josh
false
>