Microservices Authorization with Open Policy Agent
Authorization is the key challenge in a microservices architecture. For each API call, users need to be authenticated and authorized. While authentication can be taken care of centrally at the API gateway layer, authorization is left for each microservice. Each microservice will need to validate the user permissions and the entity it is trying to access. Problem of course is to ensure decoupled authorization can be implemented without compromising the security of the application.
Open Policy Agent (OPA) makes it easy to write fine-grained, context-aware policies to implement API authorization. This talk will focus on various architectural patterns to implement microservices API authorization with Open Policy Agent. We will cover how OPA can decouple the policy enforcement from implementation and integrate with external data sources to add context for authorization decisions (e.g. with LDAP).
The target audience for this talk are the Microservices Solution Architects, Security Architects and Application Developers. Whether you have already implemented a microservices based application or looking to move to microservices, or even if you are looking for Authorization solutions for APIs in your monolithic application, this talk is for you.
Key takeaways are :
- Overview of Open Policy Agent
- Various architectural patterns for implementing API authorization with OPA
- Decoupling authorization from implementation with context aware authorization
- When and Where to use each of the patterns
- Pros and cons of OPA approach
I will start with a basic implementation to introduce the concepts and progressively, take advanced architectural patterns.
- Introduction to Open Policy Agent
- Authorization Patterns with OPA
- Integration with external data sources for contextual decision making
- Authorization Patterns with OPA - Demo
- OPA Istio Plugin
- Open Policy Agent Management APIs + Demo
No special requirements for the session. If you want to try out the demo as I explain it, bring along a laptop with git client, minikube / kind, and opa binaries installed.
I am working with InfraCloud Technologies as a Senior Technology Architect. I have been working in the Software Services industry (previously with Infosys and Cognizant) for 14 years and have vast experience in Microservices and cloud native architecture.
I am currently involved in projects involving OPA setup at multiple medium and large organisations. And, active in the OPA community with Slack handle @Gaurav. I have also given presentations about OPA at Kubernetes Forums, 2020 for both Delhi and Bengaluru.