Introduction

The Open Policy Agent (OPA, pronounced “oh-pa”) is an open source, general-purpose policy engine that unifies policy enforcement across the stack. OPA provides a high-level declarative language that let’s you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more.

You can get more information by the official website.

Download & Run

On macOS (64-bit):

-L -o opalink
1
2
3
4
5


On Linux (64-bit):

```curl -L -o opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64

On Windows:

1
Windows users can obtain the OPA executable from [GitHub Releases](https://github.com/open-policy-agent/opa/releases). The steps below are the same for Windows users except the executable name will be different.

On Docker:

The most convenient way to use OPA is by the docker.

1
docker run -p 8181:8181 openpolicyagent/opa     run --server --log-level debug


more information


Rego

Basic Type

整型,浮点型,布尔型,统称为标量类型(Scalar values)

Composite Type

array
object
set

set是一组无序的,唯一值的集合;
h和array/object相比,set不可以被索引.
元素值的顺序,也不影响其是否相等,即
{1,2,3} == {3,1,2}结果为true

Rego’s Modules: Package,Import,Rule

In Rego, policies are defined inside modules. Modules consist of:

  • Exactly one Package declaration.
  • Zero or more Import statements.
  • Zero or more Rule definitions.

Some tips and syntax sugar

[_]
Package

如package名称为 xxx.yyy.zzz

可通过请求 localhost:8181/v1/data/xxx/yyy/zzz 获得结果

Import

要以data或input开头,可以用as自定义名称

Keyword

Some
With
Default
Else

Operators

Assignment :=
Comparison ==
Unification =
Best Practices for the three operators above
Comparison Operators