Skip to main content

Step 2: Sending authorization queries to OPA

As mentioned above, the OPA Agent & it's REST API is running on port :8181.

Let's explore the current state and send some authorization queries to the agent.

The default policy in the example repo is a simple RBAC policy, to which we can issue the below request to get the user's role assignment and metadata.

curl --request GET 'http://localhost:8181/v1/data/users' --header 'Content-Type: application/json' | python -m json.tool

The expected response should be like the one below.

{
    "result": {
        "alice": {
            "location": {
                "country": "US",
                "ip": "8.8.8.8"
            },
            "roles": [
                "admin"
            ]
        },

        ...
    }
}

With some user data gathered, let's now issue an authorization query. In OPA, an authorization query is a query with input.

You can also inspect the loaded data in the OPA playground UI at http://localhost:8181/.

For example, paste this query into the query field and click Execute:

data.users[i].roles[_] = "admin"

The expected result should show the user that has the admin role in the example data.json:

{
  "result": [
    {
      "i": "alice"
    }
  ]
}

This is a quick way to confirm that OPAL loaded the example data into OPA before sending authorization queries with input.

This below query asks whether the user bob can read the finance resource, where the id of the object is id123.

curl -w '\n' --request POST 'http://localhost:8181/v1/data/app/rbac/allow' \
--header 'Content-Type: application/json' \
--data-raw '{"input": {"user": "bob", "action": "read", "object": "id123", "type": "finance"}}'

The expected result is true, meaning the access is granted.

{"result": true}