Introduction to OPAL
What is OPAL?
Modern applications are complex, distributed, multi-tenant and run at scale - often creating overwhelming authorization challenges.
OPA (Open Policy Agent) brings the power of decoupled policy to the infrastructure layer (especially K8s), and light applications.
OPAL supercharges OPA to meet the pace of live applications, where the state relevant to authorization decisions may change with every user click and API call.
OPAL builds on top of OPA adding realtime updates (via Websocket Pub/Sub) for both policy and data.
OPAL embraces decoupling of policy and code, and doubles down on decoupling policy (git driven) and data (distributed data-source fetching engines).
Why use OPAL
- OPAL is the easiest way to keep your solution's authorization layer up-to-date in realtime.
- OPAL aggregates policy and data from across the field and integrates them seamlessly into the authorization layer.
- OPAL is microservices and cloud-native (see Key concepts and design)
Why OPA + OPAL == 💜
OPA (Open Policy Agent) is great! It decouples policy from code in a highly-performant and elegant way. But the challenge of keeping policy agents up-to-date is hard - especially in applications - where each user interaction or API call may affect access-control decisions. OPAL runs in the background, supercharging policy-agents, keeping them in sync with events in realtime.
AWS Cedar + OPAL == 💪
Cedar is a very powerful policy language, which powers AWS' AVP (Amazon Verified Permissions) - but what if you want to enjoy the power of Cedar on another cloud, locally, or on premise? This is where Cedar-Agent and OPAL come in.
What OPAL is not
OPAL is not a Policy Engine:
- OPAL uses policy-engines, but isn't one itself -
- Check out Cedar-Agent, Open-Policy-Agent, and OSO
OPAL is not a large scale global fine-grained authorization:
Currently OPAL is not meant for managing ridiculous (>100GB) amounts of data within one layer. Though it can complement a CDN to achieve a similar result - see Key concepts and design.
Check out Google-Zanzibar
- OPAL + policy-agent essentially provide microservices for authorization
- Developers still need to add control interfaces on top (e.g. user-management, api-key-management, audit, impersonation, invites) both as APIs and UIs
- Check out Permit.io