Skip to main content

Step 2: Sending authorization queries to OPA

As mentioned above, the OPA Agent & it's REST API is running on port :8181.

Let's explore the current state and send some authorization queries to the agent.

The default policy in the example repo is a simple RBAC policy, to which we can issue the below request to get the user's role assignment and metadata.

curl --request GET 'http://localhost:8181/v1/data/users' --header 'Content-Type: application/json' | python -m json.tool

The expected resonse should be like the one below.

{
"result": {
"alice": {
"location": {
"country": "US",
"ip": "8.8.8.8"
},
"roles": [
"admin"
]
},

...
}
}

With some user data gathered, let's now issue an authorization query. In OPA, an authorization query is a query with input.

This below query asks whether the user bob can read the finance resource, where the id of the object is id123.

curl -w '\n' --request POST 'http://localhost:8181/v1/data/app/rbac/allow' \
--header 'Content-Type: application/json' \
--data-raw '{"input": {"user": "bob", "action": "read", "object": "id123", "type": "finance"}}'

The expected result is true, meaning the access is granted.

{"result": true}