This showcase demonstrates policy enforcement with OPA (Open Policy Agent) in Java.
- Application Runtime: OpenJDK 11
- Application Framework: Micronaut
- Containerization: JIB
- Orchestration: Kubernetes
- Policy Enforcement: OPA
./gradlew build./gradlew runwill start the application locally, listening on port 8080. Without further configuration, the application expects an OPA instance at localhost:8181. You can access the application using curl:
curl http://localhost:8080/freePreconditions:
- Local Docker environment is set up.
./gradlew jibDockerBuildPreconditions:
- Kubernetes CLI is installed
- Image is available in the Kubernetes cluster's Docker registry, either by directly installing it or by allowing the registry to pull the image from Docker Hub.
kubectl apply -f k8s-deployment.yml This guide assumes that the application is deployed in a Kubernetes cluster and $SERVICE_URL points to the application service.
The following command will output a Chuck Norris Fact (and the HTTP headers):
curl -i $SERVICE_URL/freeThe output will look like this:
HTTP/1.1 200 OK
Date: Sun, 15 Jul 2018 21:12:33 GMT
content-type: text/plain
content-length: 71
Chuck Norris can juggle 12 bar stools when drunk but only 8 when sober.
The endpoint is unprotected, hence /free. You can repeat this ad nauseam.
The /protected endpoint will serve facts that require protection. Try to call this endpoint:
curl -i $SERVICE_URL/protectedComputer says no:
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Date: Sun, 15 Jul 2018 21:12:37 GMT
content-length: 54
You are not authorized. Use /free, you filthy peasant!
To access the protected endpoint, have a look at what's required in the Rego policy in k8s.yml:
A JWT containing micronaut-opa-demo in the payload.sub field.
Let's try this again with a matching token.
curl -i -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJtaWNyb25hdXQtb3BhLWRlbW8iLCJuYW1lIjoiTWljcm9uYXV0IE9QQSBEZW1vIiwiaWF0IjoxNTE2MjM5MDIyfQ.2sOzCwb9777B4yAP-nU5PQPFIjulRJxS9nKDNgHOvqA" -i $SERVICE_URL/protected
And lo and behold, Chuck Norris' real name is exposed.
HTTP/1.1 200 OK
Date: Sun, 15 Jul 2018 21:33:31 GMT
content-type: text/plain
content-length: 147
Carlos Ray Norris once had a head on collision with the sun. Luckily, the sun is so far away that the shift of its position had no effect on Earth.
The application sends all headers, request path and method to OPA. OPA can make decisions on that data. It's easy to see that almost any policy decision can be offloaded to OPA.
This repository may be used under the terms and conditions of the Apache License 2.0.