Skip to main content

MongoDB Data Plugin

Enterprise OPA supports pulling in data from MongoDB documents using periodic polling.


You can also query MongoDB directly from a policy at query-time using the mongodb built-in function.

Example Configuration

The MongoDB integration is provided through the data plugin, and needs to be enabled in Enterprise OPA's configuration.

# enterprise-opa-conf.yaml
type: mongodb
uri: localhost:27017
database: permissions
collection: employees
organization: HR
polling_interval: 10s
rego_transform: data.e2e.transform

With a config like this, Enterprise OPA will retrieve the documents in the employees collection in the permissions database every 10s. The result will contain only documents containing {organization: HR} and the documents will be available to all policy evaluations under{_id}.


uriStringYesThe URI of the database.
authObjectNoSee Auth
canonicalBoolNofalseWhether to use Canonical mode or not for BSON encoding. More Details
polling_intervalStrongNo30sThe interval between polling of the database.


auth.auth_mechanismStringNoThe mechanism to use for authentication. Supported values include SCRAM-SHA-256, SCRAM-SHA-1, MONGODB-CR, PLAIN, GSSAPI, MONGODB-X509, and MONGODB-AWS. More details.
auth.auth_mechanism_propertiesObjectNoAdditional configuration options for certain mechanisms. More Details
auth.auth_sourceStringNoThe name of the database to use for authentication. More Details.
auth.usernameStringNoThe username for authentication.
auth.passwordStringNoThe password for authentication.
auth.password_setBoolNoFor GSSAPI, this must be true if a password is specified, even if the password is the empty string, and false if no password is specified, indicating that the password should be taken from the context of the running process. For other mechanisms, this field is ignored.

See links below to the MongoDB docs for more information on some of the options:

Database, Collection and Find Options

databaseStringYesThe name of the database.
collectionStringYesThe name of the collection in the database to fetch from.
filterObjectYesThe document describing query conditions for the operation. More Details
find_optionsObjectNoThe document describing extra query options. More Details

Data Transformations

The rego_transform attribute specifies the path to a rule used to transform data pulled from MongoDB into a different format for storage in Enterprise OPA.

rego_transform policies take incoming messages as JSON via input.incoming and returns the transformed JSON.


Starting with the Enterprise OPA configuration above and the example Data

"_id": {
"$oid": "6520a3db73b2495b371c6eb3"
"country": "US",
"employeeID": "1276",
"name": "Jane Doe",
"organization": "HR"
"_id": {
"$oid": "652715d4da89b61eaca5cab9"
"country": "US",
"employeeID": "1337",
"name": "Alice Abramson",
"organization": "Product"
"_id": {
"$oid": "65271608da89b61eaca5caba"
"country": "DE",
"employeeID": "976",
"name": "Bob Branson",
"organization": "HR"

Our data.e2e.transform policy is:

package e2e
import future.keywords

transform := {c: {e.employeeID: | e := input.incoming[_]; == c} | c := input.incoming[_].country}

Then the data retrieved by the S3 plugin would be transformed by the above into:

curl "${ENTERPRISE_OPA_URL}/v1/data/employees/hr?pretty"
"result": {
"DE": {
"976": "Bob Branson"
"US": {
"1276": "Jane Doe",