nicholasjackson/opa-rego-language
Rego is the declarative policy language used by Open Policy Agent (OPA). This tile covers writing and testing Rego policies for Kubernetes admission control, Terraform and infrastructure-as-code plan validation, Docker container authorization, HTTP API authorization, RBAC and role-based access control, data filtering, metadata annotations with opa inspect, and OPA policy testing with opa test.
99
Quality
Pending
Does it follow best practices?
Impact
99%
1.19xAverage score across 31 eval scenarios
Pending
The risk profile of this skill
task.mdevals/scenario-4/
Access Control: RBAC Policy
Write a Rego policy for our infrastructure platform. The user's roles come from their JWT claims. Role permissions are loaded into OPA's data document.
Input
{
"user": "bob",
"token": {
"sub": "bob",
"roles": ["devops", "network_admin"]
},
"action": "deploy",
"resource_type": "application"
}Data
data.role_grants maps each role to the actions and resource types it permits:
{
"auditor": [
{"action": "view", "resource_type": "logs"}
],
"devops": [
{"action": "view", "resource_type": "logs"},
{"action": "deploy", "resource_type": "application"}
],
"network_admin": [
{"action": "configure", "resource_type": "network"}
]
}Expected behaviour
bob(devops + network_admin) can deploy applications and configure network- A user with only
auditorcan view logs but not deploy - Nobody can do anything not covered by their role grants
docs
evals
scenario-1
scenario-2
scenario-3
scenario-4
scenario-5
scenario-6
scenario-7
scenario-8
scenario-9
scenario-10
scenario-11
scenario-12
scenario-13
scenario-14
scenario-15
scenario-16
scenario-17
scenario-18
scenario-19
scenario-20
scenario-21
scenario-22
scenario-23
scenario-24
scenario-25
scenario-26
scenario-27
scenario-28
scenario-29
scenario-30
scenario-31