top | item 33319971

(no title)

gertd | 3 years ago

When it comes to integration of external capabilities in OPA there are only two options: make a REST call, or add a built-in.

We provide a set of OPA built-ins which enable the integration which are documented here: https://www.topaz.sh/docs/directory/built-ins.

discuss

jzelinskie|3 years ago

Both REST and built-ins for OPA have been available for existing projects like OpenFGA[0] and SpiceDB[1]. In case of SpiceDB, the first built-in was actually available in June of last year[2].

Since there is a clear interest from the existing communities with mature solutions, it'd be awesome to collaborate for the graph layer. Speaking from the SpiceDB community, we'd be glad to welcome you -- this is what open source is all about!

[0]: https://github.com/thomasdarimont/custom-opa-openfga

[1]: https://github.com/thomasdarimont/custom-opa-spicedb

[2]: https://github.com/authzed/zed/pull/5

ogazitt|3 years ago

Our design approach with Aserto has been to have a single OPA-based decision engine integrated with a built-in directory. So Topaz carries this forward.

We do have a gRPC contract for the directory (which is pluggable in Topaz), and it would be interesting to see if there could be SpiceDB or OpenFGA implementations of that contract!