Build Access Control with Rego

Common Model

While authorization models are varied, the basic building blocks of access control decisions commonly refer to subject, action, and resource.

Subject

The actor of an access control decision: a human operating a browser, or a program using an API (e.g. "alice", "bob").

Resource

The object that is acted on (e.g. "picture", "profile", "bank account").

Action

The act of the access control decision: how a resource is referred to (e.g. "read", "delete", "update").

In the how-tos of the various policy models (RBAC, ABAC, ReBAC), we'll assume that data.common contains subject, action, and resource.

How the subject/action/resource relates to the policy input depends on the deployment scenario, see these examples:

Direct

If the access tuple is provided as-is in the policy input JSON

{
  "subject": "alice",
  "action": "delete",
  "resource": "dog"
}

it can be used as-is from input:

package common

import rego.v1

subject := input.subject

action := input.action

resource := input.resource

HTTP request (JWT)

The input to OPA's policy evaluation could also be a JSON representation of an HTTP request including a JSON Web Token (JWT). This example shows the input provided by Envoy (via opa-envoy-plugin):

{
  "request": {
    "http": {
      "headers": {
        ":authority": "example-app",
        ":method": "POST",
        ":path": "/pets/dogs",
        "accept": "*/*",
        "authorization": "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiQWxpY2lhIFNtaXRoc29uaWFuIiwicm9sZXMiOlsicmVhZGVyIiwid3JpdGVyIl0sInVzZXJuYW1lIjoiYWxpY2UifQ.md2KPJFH9OgBq-N0RonGdf5doGYRO_1miN8ugTSeTYc",
        "content-length": "0",
        "user-agent": "curl/7.68.0-DEV",
        "x-ext-auth-allow": "yes",
        "x-forwarded-proto": "http",
        "x-request-id": "1455bbb0-0623-4810-a2c6-df73ffd8863a"
      },
      "host": "example-app",
      "id": "8306787481883314548",
      "method": "POST",
      "path": "/pets/dogs",
      "protocol": "HTTP/1.1"
    }
  }
}

This indirection can be resolved via Rego, too:

package common

import rego.v1

req := input.request.http # for shorter definitions

subject := jwt_claim(req.headers.authorization, "username")

actions := {
	"POST": "create",
	"PUT": "update",
	"DELETE": "delete",
}

action := actions[req.method]

resource := "dogs" if startswith(req.path, "/pets/dogs")

jwt_claim(authorization, key) := value if {
	bearer_token := token(authorization)

	# Verify the signature on the Bearer token. In this example the secret is
	# hardcoded into the policy however it could also be loaded via data or
	# an environment variable.
	io.jwt.verify_hs256(bearer_token, "B41BD5F462719C6D6118E673A2389")
	[_, payload, _] := io.jwt.decode(bearer_token)
	value := payload[key]
}

token(value) := substring(value, 7, -1) # cut off "bearer "

For illustration purposes, only some potential "actions" are spelled out.

Access Control Models

Role-Based Access Control (RBAC)

Learn how to implement RBAC in Rego

Attribute-Based Access Control (ABAC)

Learn how to implement ABAC in Rego

Relationship-Based Access Control (ReBAC)

Learn how to implement ReBAC in Rego