Open Policy Agent

2018/11 - 2019/02 Roadmap

Planned Major Features

• Extend Wasm coverage
• Improve support for hierarchical permissions
• Solve variable scoping problem
• LDAP built-in function(s)
• Rego playground

openpolicyagent.org

Timeline

openpolicyagent.org

WebAssembly

• As of #990, OPA policies can be compiled into WebAssembly (Wasm). Wasm provides a safe, efficient, portable runtime for policy enforcement on platforms like CDNs, AWS Lambda, and more.�
• Over the next few months, Wasm support will be extended to cover more of the policy language and enable daemonless OPA integrations in a variety of languages. See #1024 for details.

openpolicyagent.org

Hierarchical Permissions

• Hierarchical permission models are common (e.g., parent node permissions are a superset of child node permissions, recursively.) Today, OPA does not permit recursion in policies. This prevents policies from performing traversal operations that would check these kinds of permissions. See #947.�
• Plan: evaluate options for supporting hierarchical permission models in OPA and implement solution.

Possible Solutions:

​

• Add support for limited forms of recursion.�
• Add support for keyword/operator like transitive closure.�
• Keep existing constraints but document & optimize pattern for fixed-depth solution. E.g., (😱):

�tc(tree, key) = {key} | x1 | x2 | x3 {� x1 := {x | x := tree[key][_]}� x2 := {x | x := tree[x1[_]][_]}� x3 := {x | x := tree[x2[_]][_]}�}

openpolicyagent.org

Rego Playground

• Users don't have a good way to easily share snippets of Rego. Mediums like Slack and Gists are fine for trivial examples but are lacking in terms of discoverability, readability, etc.�
• Providing an online playground (similar to play.golang.org) would allow users to easily experiment with and share snippets of Rego.�
• The MVP for the playground will provide users with a way to write, check, evaluate, and publish snippets of policy so that they can be shared with others.

​

​

package foo

​

allow {� ...�}

​

allow {� ...�}

​

allow {� ...�}

Output�

{� "allow": true�}

Rego Playground

Share

openpolicyagent.org

LDAP Built-in Functions

• LDAP is a common source of context for policy decisions. Today, we recommend that integrations embed that context into a token during authentication. In some cases, this approach does not scale well and/or it may create undesirable coupling between the auth/n server and the policy.�
• Goal: Add built-in functions to Rego that allow policies to execute LDAP queries during evaluation. See #938.

openpolicyagent.org

Variable Scoping

• Earlier this year OPA added dedicated operators for assignment and comparison (:= and ==). While less powerful than the unification operator (=) their scoping rules are more obvious to new users and avoid capturing issues in large policy files.�
• OPA does not currently have a similar solution for variables that appear as reference operands.�

Goal

�Introduce syntax so that authors can make variables in references shadow globals.

Example (current behaviour)

​

x = 1

​

p {� q[x] # refers to global x�}

openpolicyagent.org

Fuzz Testing

• In #948 we discovered a panic in the error handling portion in OPA's parser. To uncover similar issues and reduce the likelihood of panics in the future, we are going to apply a fuzzer (go-fuzz) seeded with a corpus of valid Rego extracted from the OPA codebase.

openpolicyagent.org

Frontpage Refresh

• Over the past year, the OPA end-user community has grown substantially. We have also seen OPA integrated with a number of new projects.�
• While the current frontpage describes the goals of the project, it lacks concrete examples of the types of problems OPA is helping solve today.�
• The goal of the frontpage refresh is to give newcomers a clearer idea of how they can leverage OPA.

openpolicyagent.org

Documentation Refresh

• As OPA has matured, we have learned about what works in the documentation (and what doesn't). We plan to rework some of the documentation to help people ramp up on OPA concepts and mechanics quicker.�
• New Docs:
• "Examples" section that serves as a policy catalogue for popular projects.
• "Cheat Sheet" section that captures common policy language idioms. See #268.
• "Integration" section that explains OPA integration options. See #372.
• Improved Docs:
• Refactor docs to prefer := and == over =. See #952.
• Extend Best Practices & FAQ with more information. See #633.

openpolicyagent.org

Help Wanted

• Add authentication based on mutual TLS (#1040)
• Add stack trace support to topdown (#555)
• Integrations:
• Prometheus integration to monitor for policy violations
• OPA policies can audit the state of systems (e.g., Kubernetes) to detect problems
• Query results could be pushed into Prometheus and surfaced with graphs (e.g., # of security context violations/time.)
• Spinnaker integration to enforce invariants
• Similar use case to Kubernetes admission control, Terraform risk management.
• Integrate with Spinnaker to enforce OPA policies in CD pipelines.

Issues labelled low-hanging-fruit or help-wanted are good candidates for first contribution.

openpolicyagent.org