Validate Request with Open Policy Agent (OPA)¶
The Open Policy Agent (OPA) is an open source, general-purpose policy engine that unifies policy enforcement. In Choreo Connect, you can offload some responsibility of making the decision to authorize or not when a consumer invokes APIs based on policies attached to APIs.
Choreo Connect uses OPA’s policy evaluation REST API interface to communicate with OPA. Following diagram describes the request/response of OPA validation.
Tip
You can deploy OPA server as a sidecar with Choreo Connect Runtime (Enforcer and Router) in a Kubernetes deployment, if you want to improve communication between Enforcer and OPA server.
| Numbers | Description |
|---|---|
| 1 | Client request |
| 2 | Request to validate (i.e. authentication, rate-limiting, OPA validation and other validations) the client request through Enforcer |
| 3 | Enforcer calling the OPA server with the JSON payload described in Request Payload to the OPA server |
| 4 | Response from OPA server after validating the request as described in Response Payload from the OPA server |
| 5 | Respond the validation status to the Router |
| 6,7 | Response from the backend |
| 8 | Response to the client |
Please refer the documentation on Validate Request with Open Policy Agent (OPA) to learn how to attach and configure OPA policies to APIs.