--- title: OPA description: Adapter that implements an Open Policy Agent engine. location: https://istio.io/docs/reference/config/policy-and-telemetry/adapters/opa.html layout: protoc-gen-docs generator: protoc-gen-docs supported_templates: authorization aliases: - /docs/reference/config/adapters/opa.html number_of_entries: 1 ---

The opa adapter exposes an Open Policy Agent engine that provides sophisticated access control mechanisms.

This adapter supports the authorization template.

Params

Configuration format for the opa adapter.

Example configuration:

policy:
  - |+
    package mixerauthz
    policy = [
      {
        "rule": {
          "verbs": [
            "storage.buckets.get"
          ],
          "users": [
            "bucket-admins"
          ]
        }
      }
    ]

    default allow = false

    allow = true {
      rule = policy[_].rule
      input.subject.user = rule.users[_]
      input.action.method = rule.verbs[_]
    }
checkMethod: "data.mixerauthz.allow"
failClose: true
Field Type Description Required
policy string[]

List of OPA policies

No
checkMethod string

Query method to check. Format: data.<package name>.<method name>

No
failClose bool

Close the client request when adapter has a issue. If failClose is set to true and there is a runtime error, instead of disabling the adapter, close the client request

No