Open Policy Agent and Mixer

#1

I’m trying to get the Open Policy Agent adapter working in Istio 1.1. I’ve installed Istio into a Minikube cluster using Helm and the default helm template values.

I’ve setup the OPA adapter operator configurations as described here. I noticed in the logs though that the handler is not being recognized:

Here are my kubernetes manifests:

apiVersion: "config.istio.io/v1alpha2"
kind: opa
metadata:
 name: opa-handler
 namespace: istio-system
spec:
 policy:
   - |+
    package mixerauthz

    default allow = false

    #allow = true {
    #  input.subject.user = jwhitaker 
    #  input.action.method = "GET" 
    #}
 checkMethod: "data.mixerauthz.allow"
 failClose: true

---

apiVersion: "config.istio.io/v1alpha2"
kind: rule
metadata:
 name: authorization
 namespace: istio-system
spec:
 actions:
 - handler: opa-handler
   instances: ["authz-instance"]

---
apiVersion: "config.istio.io/v1alpha2"
kind: instance
metadata:
  name: authz-instance
  namespace: istio-system
spec:
  template: authorization
  params:
    subject:
      user: request.auth.claims["sub"] | request.auth.principal | source.principal | ""
      groups: request.auth.claims["groups"] | ""
      properties:
        iss: request.auth.claims["iss"] | ""
    action:
      namespace: destination.namespace | "default"
      service: destination.service.host | ""
      path: request.path | "/"
      method: request.method | ""
      properties:
        version: destination.labels["version"] | ""

Does OPA come pre-compiled into Mixer? If so, why would I be having this issue? I’ve compiled in a Mixer adapter before and got it to work, and I’ve also used gRPC out-of-process adapters without issue. So this issue is new to me…

0 Likes

#2

This was discussed and resolved in https://github.com/istio/istio/issues/13098.

0 Likes