Convert Figma logo to code with AI

permitio logoopal

Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...)

5,150
185
5,150
66
View on GitHub

Top Related Projects

ory's avatar

keto

4,875

The most scalable and customizable permission server on the market. Fix your slow or broken permission system with Google's proven "Zanzibar" approach. Supports ACL, RBAC, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.

casbin's avatar

casbin

17,922

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

open-policy-agent's avatar

opa

9,617

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

authzed's avatar

spicedb

5,210

Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data

osohq's avatar

oso

3,479

Deprecated: See README

warrant-dev's avatar

warrant

1,181

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Quick Overview

OPAL (Open Policy Administration Layer) is an open-source project that provides real-time policy updates and data fetching for policy agents. It's designed to work with Open Policy Agent (OPA) and other policy engines, offering a scalable solution for distributing policy data across services and environments.

Pros

  • Real-time policy updates without service restarts
  • Scalable architecture supporting millions of agents
  • Flexible integration with various policy engines and data sources
  • Built-in support for popular cloud providers and services

Cons

  • Requires additional infrastructure setup compared to standalone OPA
  • Learning curve for teams new to policy-as-code concepts
  • Limited documentation for advanced use cases
  • Potential single point of failure if not properly configured for high availability

Code Examples

  1. Configuring OPAL client in Python:
from opal_client.config import Config
from opal_client import OpalClient

config = Config(
    policy_store_url="http://localhost:8181",
    data_store_url="http://localhost:7002",
    topics=["policy_updates", "data_updates"]
)

client = OpalClient(config)
client.start()
  1. Defining a policy in Rego for OPAL:
package example

default allow = false

allow {
    input.method == "GET"
    input.path == "/api/public"
}
  1. Using OPAL with OPA in a Kubernetes deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: opa
spec:
  template:
    spec:
      containers:
        - name: opa
          image: openpolicyagent/opa:latest
          args:
            - "run"
            - "--server"
            - "--config-file=/config/config.yaml"
          volumeMounts:
            - readOnly: true
              mountPath: /config
              name: opa-config
        - name: opal-client
          image: permitio/opal-client:latest
          env:
            - name: OPAL_SERVER_URL
              value: "http://opal-server:7002"

Getting Started

  1. Install OPAL server and client:

    docker pull permitio/opal-server
docker pull permitio/opal-client

  2. Run OPAL server:

    docker run -p 7002:7002 -p 7000:7000 permitio/opal-server

  3. Run OPAL client:

    docker run -p 7766:7000 \
  -e OPAL_SERVER_URL=http://<opal-server-address>:7002 \
  permitio/opal-client

  4. Configure your application to use OPAL client for policy decisions.

Competitor Comparisons

ory logo

keto

4,875

The most scalable and customizable permission server on the market. Fix your slow or broken permission system with Google's proven "Zanzibar" approach. Supports ACL, RBAC, and more. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.

Pros of Keto

  • More mature project with a larger community and ecosystem
  • Supports multiple storage backends (SQL, Redis, in-memory)
  • Offers a REST API for easier integration with various systems

Cons of Keto

  • Steeper learning curve due to more complex architecture
  • Requires additional setup and configuration compared to OPAL
  • Less focus on real-time policy updates

Code Comparison

OPAL policy example:

allow(user, action, resource) if
    user.role == "admin" or
    (user.role == "editor" and action in ["read", "write"])

Keto policy example:

{
  "id": "policies:blog",
  "subjects": ["users:admin", "users:editor"],
  "resources": ["resources:blog:posts:<.*>"],
  "actions": ["create", "read", "update", "delete"],
  "effect": "allow"
}

Both OPAL and Keto provide policy-based access control, but they differ in their approach and syntax. OPAL uses a more expressive policy language, while Keto relies on JSON-based policy definitions. OPAL focuses on real-time policy distribution and evaluation, whereas Keto offers a broader set of features and integration options. The choice between the two depends on specific project requirements, scalability needs, and preferred policy definition style.

casbin logo

casbin

17,922

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

Pros of Casbin

  • More mature and widely adopted project with a larger community
  • Supports multiple programming languages and frameworks
  • Offers a flexible, adaptable policy definition language (PCDL)

Cons of Casbin

  • Requires more manual configuration and setup
  • Less focus on real-time policy updates and distribution
  • May have a steeper learning curve for complex authorization scenarios

Code Comparison

Casbin policy definition:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

OPAL policy definition (using OPA):

package authz

default allow = false

allow {
    input.user == "admin"
}

allow {
    input.action == "read"
    input.resource == "public_data"
}

Both Casbin and OPAL offer powerful authorization solutions, but they differ in their approach and focus. Casbin provides a versatile, multi-language authorization library with a custom policy language, while OPAL emphasizes real-time policy management and distribution using OPA. The choice between them depends on specific project requirements, language preferences, and the need for real-time policy updates.

open-policy-agent logo

opa

9,617

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

Pros of OPA

  • Mature and widely adopted project with extensive documentation
  • Supports multiple policy languages (Rego, JSON, YAML)
  • Integrates with various cloud-native technologies and platforms

Cons of OPA

  • Steeper learning curve, especially for Rego language
  • Lacks built-in real-time policy distribution capabilities
  • Requires additional setup for centralized management and distribution

Code Comparison

OPA (Rego policy):

package httpapi.authz

default allow = false

allow {
    input.method == "GET"
    input.path == ["api", "public"]
}

OPAL (Python policy):

def allow_access(request):
    if request.method == "GET" and request.path == "/api/public":
        return True
    return False

Summary

OPA is a mature and versatile policy engine with broad ecosystem support, while OPAL focuses on real-time policy management and distribution. OPA uses Rego as its primary policy language, which can be more complex to learn, whereas OPAL allows policies to be written in Python, potentially lowering the entry barrier for developers. Both projects have their strengths, with OPA excelling in flexibility and OPAL in ease of policy updates and distribution.

authzed logo

spicedb

5,210

Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data

Pros of SpiceDB

  • Built-in support for Google's Zanzibar authorization model
  • Designed for high performance and scalability
  • Strong focus on data consistency and reliability

Cons of SpiceDB

  • Steeper learning curve due to its specific data model
  • Less flexibility in terms of integration with existing systems
  • More complex setup and configuration process

Code Comparison

OPAL policy example:

package app.rbac

default allow = false

allow {
    input.user.role == "admin"
}

SpiceDB schema example:

definition user {}

definition document {
    relation viewer: user
    relation editor: user
    permission view = viewer + editor
    permission edit = editor
}

Key Differences

  • OPAL uses Rego language for policy definition, while SpiceDB uses its own schema language
  • OPAL focuses on real-time policy distribution, whereas SpiceDB emphasizes relationship-based authorization
  • OPAL provides more flexibility in policy structure, while SpiceDB offers a more structured approach based on the Zanzibar model

Both projects aim to solve authorization challenges, but they take different approaches. OPAL is more adaptable to various policy structures, while SpiceDB provides a robust implementation of the Zanzibar model for relationship-based access control.

osohq logo

oso

3,479

Deprecated: See README

Pros of Oso

  • Supports multiple programming languages (Python, Ruby, Java, Node.js, Go)
  • Provides a domain-specific language (Polar) for writing authorization rules
  • Offers a more comprehensive authorization solution with built-in role-based access control (RBAC)

Cons of Oso

  • Steeper learning curve due to the custom Polar language
  • Less focus on real-time policy updates compared to OPAL
  • May require more integration effort for existing applications

Code Comparison

Oso (using Polar language):

allow(user, "read", post) if
    user.role = "admin" or
    user.id = post.author_id;

OPAL (using Rego language):

allow {
    input.user.role == "admin"
}
allow {
    input.user.id == input.resource.author_id
}

Both examples demonstrate simple authorization rules, but Oso uses its custom Polar language, while OPAL leverages the Rego language from Open Policy Agent (OPA). Oso's syntax is more concise, but OPAL's use of Rego provides compatibility with the broader OPA ecosystem.

warrant-dev logo

warrant

1,181

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Pros of Warrant

  • Offers a more comprehensive authorization solution with built-in user management and role-based access control
  • Provides a user-friendly dashboard for managing permissions and roles
  • Supports multiple programming languages and frameworks out of the box

Cons of Warrant

  • Less flexible for custom policy definitions compared to OPAL's OPA-based approach
  • May have a steeper learning curve for teams already familiar with OPA
  • Limited support for distributed policy enforcement in complex microservices architectures

Code Comparison

Warrant:

const warrant = new Warrant({ apiKey: 'YOUR_API_KEY' });
const hasPermission = await warrant.authorize({
  user: 'user@example.com',
  permission: 'edit_post',
  object: { type: 'post', id: '123' }
});

OPAL:

from opal_client.policy import Policy

policy = Policy.from_json({
    "allow": {
        "user": "user@example.com",
        "action": "edit",
        "resource": "post:123"
    }
})
result = policy.evaluate({"user": "user@example.com", "action": "edit", "resource": "post:123"})

Both Warrant and OPAL provide powerful authorization solutions, but they cater to different use cases and preferences. Warrant offers a more integrated approach with user management and RBAC, while OPAL focuses on flexible policy definitions using OPA. The choice between them depends on specific project requirements and team expertise.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

opal

⚡OPAL⚡

Open Policy Administration Layer

Tests Package Package Downloads Docker pulls Join our Slack!

What is OPAL?

OPAL is an administration layer for Policy Engines such as Open Policy Agent (OPA), and AWS' Cedar Agent detecting changes to both policy and policy data in realtime and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications.

As your app's data state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need).

Check out OPAL's main site at OPAL.ac

OPAL Use Cases

OPAL is the easiest way to keep your solution's authorization layer up-to-date in realtime. It aggregates policy and data from across the field and integrates them seamlessly into the authorization layer, and is microservices and cloud-native.

Here are some of the main use cases for using OPAL:

simplified

OPAL uses a client-server stateless architecture. OPAL-Servers publish policy and data updates over a lightweight (websocket) PubSub Channel, which OPAL-clients subscribe to via topics. Upon updates, each client fetches data directly (from the source) to load it into its managed Policy Engine instance.

OPA + OPAL == 💜

While OPA (Open Policy Agent) decouples policy from code in a highly-performant and elegant way, the challenge of keeping policy agents up-to-date remains. This is especially true in applications, where each user interaction or API call may affect access-control decisions. OPAL runs in the background, supercharging policy agents and keeping them in sync with events in real time.

AWS Cedar + OPAL == 💪

Cedar is a very powerful policy language, which powers AWS' AVP (Amazon Verified Permissions) - but what if you want to enjoy the power of Cedar on another cloud, locally, or on premise? This is where Cedar-Agent and OPAL come in.

This video briefly explains OPAL and how it works with OPA, and a deeper dive into it at this OWASP DevSlop talk.

Who's Using OPAL?

OPAL is being used as the core engine of Permit.io Authorization Service and serves in production:

  • > 10,000 policy engines deployment
  • > 100,000 policy changes and data synchronizations every day
  • > 10,000,000 authorization checks every day

Besides Permit, OPAL is being used in Production in Tesla, Walmart, The NBA, Intel, Cisco, Live-Oak Bank, and thousands of other development teams and companies of all sizes.

Documentation

curl -L https://raw.githubusercontent.com/permitio/opal/master/docker/docker-compose-example.yml \
> docker-compose.yml && docker compose up

📖 For further reading, check out our Blog

Community

We would love to chat with you about OPAL. Join our Slack community to chat about authorization, open-source, realtime communication, tech, or anything else!

You can raise questions and ask for features to be added to the road-map in our Github discussions, report issues in Github issues

If you like our project, please consider giving us a ⭐️

Button
Button

Contributing to OPAL

  • Pull requests are welcome! (please make sure to include passing tests and docs)
  • Prior to submitting a PR - open an issue on GitHub, or make sure your PR addresses an existing issue well.

There's more!

  • Check out OPToggles, which enables you to create user targeted feature flags/toggles based on Open Policy managed authorization rules!
  • Check out Cedar-Agent, the easiest way to deploy & run AWS Cedar.