top | item 39686648

(no title)

We're currently evaluating OPA for adding RBAC to our open-source application [0]. We plan on using the Go API [1] and doing the policy eval directly in our app since our app is also written in Go.

The thinking is we'll have some basic built-in policies (like admins can do X, editors can do Y, etc) but also allow users to configure their own policies if they want by writing rego and loading their policy rules at startup time (via config). We'd document the inputs that we pass to the evaluation call such as request headers, IP, role, etc.

I'm curious if anyone has ever tried something like this or similar?

[0] https://github.com/flipt-io/flipt

[1] https://www.openpolicyagent.org/docs/latest/integration/#int...

discuss

fireflash38|2 years ago

That's all pretty easily doable. Just make your app take in a bundle with package defined in the manifest. Document your call points, as you've said.

samarthr1|1 year ago

Not affliated with AuthZed, but spiceDB may be a good fit for your use case?