OPA Integration
Production - OpaAuthorizationService
The IAM service integrates with Open Policy Agent (OPA) for complex authorization decisions that go beyond simple RBAC. OPA policies are evaluated via HTTP calls to the OPA sidecar or external OPA server.
6.5.8Architecture
Request --> IAM Service --> OPA Sidecar (localhost:8181)
| |
|-- RBAC check |-- Policy evaluation
| (permission | (Rego policies)
| cache) |
| |-- Returns allow/deny
v v
Authorization DecisionWhen OPA Is Used
OPA is invoked for authorization decisions that require:
- Attribute-based access control (ABAC): Decisions based on resource attributes, not just roles
- Cross-tenant policies: Platform-wide policies that span tenant boundaries
- Temporal policies: Access rules that depend on time, location, or context
- Data classification: Access decisions based on data sensitivity levels
OpaAuthorizationService
The OpaAuthorizationService sends authorization requests to OPA:
@Service
public class OpaAuthorizationService {
// Evaluates a policy at the given path
public boolean evaluate(String policyPath, Map<String, Object> input);
// Evaluates with full context (user, resource, action, environment)
public boolean authorize(User user, String resource, String action,
Map<String, Object> context);
}Policy Input Structure
{
"input": {
"user": {
"id": 42,
"email": "user@example.com",
"tenant_id": "550e8400-e29b-41d4-a716-446655440000",
"roles": ["analyst"],
"permissions": ["dashboards:read", "queries:execute"]
},
"resource": {
"type": "dashboard",
"id": "dash-123",
"owner": "user-10",
"classification": "confidential"
},
"action": "read",
"environment": {
"ip_address": "203.0.113.50",
"time": "2026-02-12T10:30:00Z"
}
}
}Configuration
matih:
opa:
url: http://localhost:8181
policy-path: /v1/data/matih/authz
timeout-ms: 500
enabled: true