Building on top of Open Policy Agent (OPA)

Building authorization with the Open Policy Agent decision engine

The Open Policy Agent (OPA) project is a great general-purpose policy engine applied heavily in the infrastructure space. Aserto has extended the use case for the general-purpose decision engine to that of fine-grained application access control.

The OPA decision engine is at the core of Aserto authorizers, which make millisecond access control decisions based on real-time data.

OPA + Aserto = <3

Distribution

Aserto wraps the policy bundle with an Open Container Initiative (OCI) image so that your OPA policies use an image format that has been standardized and embraced by a much broader ecosystem.

Using the OCI standard, we can apply Semantic Versioning as well as standard signing solutions (like Sigstore) to ensure:

- An OCI artifact can have both labels and attributes that are indexable and searchable, which allows for discoverability and sharing.

- Semantic versioning in conjunction with signing allows us to know exactly what policy bundle we are currently running and prevents tampering, strengthening the integrity of our build.

Read more about Open Policy Containers- a docker-like command workflow for securing the software supply chain of your OPA policies.

Synchronization

The use of signed OCI images, as well as the ability to push those images to an authorizer instance running right next to your application, gives you the assurance that you are running the version of a policy that you’re expecting.

Identity

The OPA engine has access to a JSON Web Token (JWT) or Security Assertion Markup Language (SAML) token, but any other piece of identity information it would want to use in authorization decisions would have to be resolved over an HTTP call.

Aserto solves this by bringing the identity information needed to make authorization decisions as close to the engine as possible so that no network calls are made at runtime. A database is hosted in the same container as the decision engine itself and is synchronized and kept up-to-date with a centralized directory. This ensures the decision engine can be autonomous and continue running even when the network might be down.

Resource context

Aserto uses a database that lives close to the decision engine, which is automatically synced with all resource information. This ensures the integrity and lightning-speed of the decision engine by eliminating any network calls and the policy remains a read-only, immutable artifact.

Enforcement

Aserto eliminates the risk of making authorization decisions based on stale data by delivering the user, policy, and resource contexts to the policy decision point in real-time, with 100% availability.

Decision logs

Auditing and tracing is a key component of a production-grade access control system. While OPA provides you with the ability to push decision logs to an HTTP endpoint, it doesn’t help with aggregating and centralizing all the messages. In deployments with multiple decision engine instances, this becomes a real challenge.

What is Aserto?

Aserto is an authorization service that helps developers build secure applications. It makes it easy to add fine-grained, policy-based, real-time access control to applications and APIs. It offers blazing-fast authorization of a local library, coupled with a centralized control plane for managing policies, user attributes, resource and relationship data, and decision logs. And it comes with everything you need to deliver fine-grained RBAC, ABAC, or ReBAC.

Resources

Built for developers with ♥

Sam Hall

Head of Technology, Metrikus

"Authorization has been a constant worry over the last two years - everyone was scared of it. With Aserto, I'm so much more comfortable with authorization because I can see what's going on. Before, it was a dark art - we had a muddled permission structure. With Aserto, we have clear policies that are easy to implement and obvious to analyze. Aserto has made AuthZ something we're not scared of anymore."

Grant Miller

Co-founder / CEO, Replicated

"B2B SaaS vendors have a huge opportunity going after the enterprise, but only if they meet enterprise expectations, as we've captured in EnterpriseReady.io. Replicated serves 50% of the F100, and we know first-hand that authorization and RBAC are table-stakes for enterprise adoption. It's obvious to me that partnering with Aserto is a far better approach compared to rolling your own and having to reinvent the wheel."

David Kerber

VP of Technology

"Authorization involves really hard problems that I want experts to solve. We like to focus our internal engineering efforts on our customers and their problems. Aserto allows us to do just that, at a small fraction of the cost it would take to build and maintain it ourselves, not to mention the opportunity cost."

Mathias Biilmann Christensen

Co-founder & CEO, Netlify

"As millions of developers and businesses are adopting a Jamstack approach, most modern web applications involve multiple APIs and services. Aserto's promise of separating policies from code could radically simplify the implementation of authorization across the front-end UI and the larger world of back-end functions and endpoints."

Tom Preston-Werner

Co-founder, GitHub

"Building & managing an authorization/RBAC system is a huge pain, especially at enterprise scale. So stop! Aserto has a distributed, millisecond latency, 100% availability API for that. I'm excited to help as an angel investor!"