Convert Figma logo to code with AI

permitio logoopal

Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...)

4,143
156
4,143
47
View on GitHub

Top Related Projects

ory's avatar

keto

4,774

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.

casbin's avatar

casbin

17,484

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

open-policy-agent's avatar

opa

9,505

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

authzed's avatar

spicedb

4,924

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications

osohq's avatar

oso

3,467

Oso is a batteries-included framework for building authorization in your application.

warrant-dev's avatar

warrant

1,112

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Quick Overview

OPAL (Open Policy Administration Layer) is an open-source project that provides real-time policy updates and data fetching for policy agents. It's designed to work with Open Policy Agent (OPA) and other policy engines, offering a scalable solution for distributing policy data across services and environments.

Pros

  • Real-time policy updates without service restarts
  • Scalable architecture supporting millions of agents
  • Flexible integration with various policy engines and data sources
  • Built-in support for popular cloud providers and services

Cons

  • Requires additional infrastructure setup compared to standalone OPA
  • Learning curve for teams new to policy-as-code concepts
  • Limited documentation for advanced use cases
  • Potential single point of failure if not properly configured for high availability

Code Examples

  1. Configuring OPAL client in Python:
from opal_client.config import Config
from opal_client import OpalClient

config = Config(
    policy_store_url="http://localhost:8181",
    data_store_url="http://localhost:7002",
    topics=["policy_updates", "data_updates"]
)

client = OpalClient(config)
client.start()
  1. Defining a policy in Rego for OPAL:
package example

default allow = false

allow {
    input.method == "GET"
    input.path == "/api/public"
}
  1. Using OPAL with OPA in a Kubernetes deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
  name: opa
spec:
  template:
    spec:
      containers:
        - name: opa
          image: openpolicyagent/opa:latest
          args:
            - "run"
            - "--server"
            - "--config-file=/config/config.yaml"
          volumeMounts:
            - readOnly: true
              mountPath: /config
              name: opa-config
        - name: opal-client
          image: permitio/opal-client:latest
          env:
            - name: OPAL_SERVER_URL
              value: "http://opal-server:7002"

Getting Started

  1. Install OPAL server and client:

    docker pull permitio/opal-server
docker pull permitio/opal-client

  2. Run OPAL server:

    docker run -p 7002:7002 -p 7000:7000 permitio/opal-server

  3. Run OPAL client:

    docker run -p 7766:7000 \
  -e OPAL_SERVER_URL=http://<opal-server-address>:7002 \
  permitio/opal-client

  4. Configure your application to use OPAL client for policy decisions.

Competitor Comparisons

ory logo

keto

4,774

Open Source (Go) implementation of "Zanzibar: Google's Consistent, Global Authorization System". Ships gRPC, REST APIs, newSQL, and an easy and granular permission language. Supports ACL, RBAC, and other access models.

Pros of Keto

  • More mature project with a larger community and ecosystem
  • Supports multiple storage backends (SQL, Redis, in-memory)
  • Offers a REST API for easier integration with various systems

Cons of Keto

  • Steeper learning curve due to more complex architecture
  • Requires additional setup and configuration compared to OPAL
  • Less focus on real-time policy updates

Code Comparison

OPAL policy example:

allow(user, action, resource) if
    user.role == "admin" or
    (user.role == "editor" and action in ["read", "write"])

Keto policy example:

{
  "id": "policies:blog",
  "subjects": ["users:admin", "users:editor"],
  "resources": ["resources:blog:posts:<.*>"],
  "actions": ["create", "read", "update", "delete"],
  "effect": "allow"
}

Both OPAL and Keto provide policy-based access control, but they differ in their approach and syntax. OPAL uses a more expressive policy language, while Keto relies on JSON-based policy definitions. OPAL focuses on real-time policy distribution and evaluation, whereas Keto offers a broader set of features and integration options. The choice between the two depends on specific project requirements, scalability needs, and preferred policy definition style.

casbin logo

casbin

17,484

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang: https://discord.gg/S5UjpzGZjN

Pros of Casbin

  • More mature and widely adopted project with a larger community
  • Supports multiple programming languages and frameworks
  • Offers a flexible, adaptable policy definition language (PCDL)

Cons of Casbin

  • Requires more manual configuration and setup
  • Less focus on real-time policy updates and distribution
  • May have a steeper learning curve for complex authorization scenarios

Code Comparison

Casbin policy definition:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

OPAL policy definition (using OPA):

package authz

default allow = false

allow {
    input.user == "admin"
}

allow {
    input.action == "read"
    input.resource == "public_data"
}

Both Casbin and OPAL offer powerful authorization solutions, but they differ in their approach and focus. Casbin provides a versatile, multi-language authorization library with a custom policy language, while OPAL emphasizes real-time policy management and distribution using OPA. The choice between them depends on specific project requirements, language preferences, and the need for real-time policy updates.

open-policy-agent logo

opa

9,505

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

Pros of OPA

  • Mature and widely adopted project with extensive documentation
  • Supports multiple policy languages (Rego, JSON, YAML)
  • Integrates with various cloud-native technologies and platforms

Cons of OPA

  • Steeper learning curve, especially for Rego language
  • Lacks built-in real-time policy distribution capabilities
  • Requires additional setup for centralized management and distribution

Code Comparison

OPA (Rego policy):

package httpapi.authz

default allow = false

allow {
    input.method == "GET"
    input.path == ["api", "public"]
}

OPAL (Python policy):

def allow_access(request):
    if request.method == "GET" and request.path == "/api/public":
        return True
    return False

Summary

OPA is a mature and versatile policy engine with broad ecosystem support, while OPAL focuses on real-time policy management and distribution. OPA uses Rego as its primary policy language, which can be more complex to learn, whereas OPAL allows policies to be written in Python, potentially lowering the entry barrier for developers. Both projects have their strengths, with OPA excelling in flexibility and OPAL in ease of policy updates and distribution.

authzed logo

spicedb

4,924

Open Source, Google Zanzibar-inspired permissions database to enable fine-grained authorization for customer applications

Pros of SpiceDB

  • Built-in support for Google's Zanzibar authorization model
  • Designed for high performance and scalability
  • Strong focus on data consistency and reliability

Cons of SpiceDB

  • Steeper learning curve due to its specific data model
  • Less flexibility in terms of integration with existing systems
  • More complex setup and configuration process

Code Comparison

OPAL policy example:

package app.rbac

default allow = false

allow {
    input.user.role == "admin"
}

SpiceDB schema example:

definition user {}

definition document {
    relation viewer: user
    relation editor: user
    permission view = viewer + editor
    permission edit = editor
}

Key Differences

  • OPAL uses Rego language for policy definition, while SpiceDB uses its own schema language
  • OPAL focuses on real-time policy distribution, whereas SpiceDB emphasizes relationship-based authorization
  • OPAL provides more flexibility in policy structure, while SpiceDB offers a more structured approach based on the Zanzibar model

Both projects aim to solve authorization challenges, but they take different approaches. OPAL is more adaptable to various policy structures, while SpiceDB provides a robust implementation of the Zanzibar model for relationship-based access control.

osohq logo

oso

3,467

Oso is a batteries-included framework for building authorization in your application.

Pros of Oso

  • Supports multiple programming languages (Python, Ruby, Java, Node.js, Go)
  • Provides a domain-specific language (Polar) for writing authorization rules
  • Offers a more comprehensive authorization solution with built-in role-based access control (RBAC)

Cons of Oso

  • Steeper learning curve due to the custom Polar language
  • Less focus on real-time policy updates compared to OPAL
  • May require more integration effort for existing applications

Code Comparison

Oso (using Polar language):

allow(user, "read", post) if
    user.role = "admin" or
    user.id = post.author_id;

OPAL (using Rego language):

allow {
    input.user.role == "admin"
}
allow {
    input.user.id == input.resource.author_id
}

Both examples demonstrate simple authorization rules, but Oso uses its custom Polar language, while OPAL leverages the Rego language from Open Policy Agent (OPA). Oso's syntax is more concise, but OPAL's use of Rego provides compatibility with the broader OPA ecosystem.

warrant-dev logo

warrant

1,112

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Pros of Warrant

  • Offers a more comprehensive authorization solution with built-in user management and role-based access control
  • Provides a user-friendly dashboard for managing permissions and roles
  • Supports multiple programming languages and frameworks out of the box

Cons of Warrant

  • Less flexible for custom policy definitions compared to OPAL's OPA-based approach
  • May have a steeper learning curve for teams already familiar with OPA
  • Limited support for distributed policy enforcement in complex microservices architectures

Code Comparison

Warrant:

const warrant = new Warrant({ apiKey: 'YOUR_API_KEY' });
const hasPermission = await warrant.authorize({
  user: 'user@example.com',
  permission: 'edit_post',
  object: { type: 'post', id: '123' }
});

OPAL:

from opal_client.policy import Policy

policy = Policy.from_json({
    "allow": {
        "user": "user@example.com",
        "action": "edit",
        "resource": "post:123"
    }
})
result = policy.evaluate({"user": "user@example.com", "action": "edit", "resource": "post:123"})

Both Warrant and OPAL provide powerful authorization solutions, but they cater to different use cases and preferences. Warrant offers a more integrated approach with user management and RBAC, while OPAL focuses on flexible policy definitions using OPA. The choice between them depends on specific project requirements and team expertise.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

opal

⚡OPAL⚡

Open Policy Administration Layer

Tests Package Package Downloads Docker pulls Join our Slack!

What is OPAL?

OPAL is an administration layer for Policy Engines such as Open Policy Agent (OPA), and AWS' Cedar Agent detecting changes to both policy and policy data in realtime and pushing live updates to your agents. OPAL brings open-policy up to the speed needed by live applications.

As your application state changes (whether it's via your APIs, DBs, git, S3 or 3rd-party SaaS services), OPAL will make sure your services are always in sync with the authorization data and policy they need (and only those they need).

Check out our main site at OPAL.ac, this video briefly explaining OPAL and how it works with OPA, and a deeper dive into it at this OWASP DevSlop talk.

Why use OPAL?

OPAL is the easiest way to keep your solution's authorization layer up-to-date in realtime. It aggregates policy and data from across the field and integrates them seamlessly into the authorization layer, and is microservices and cloud-native.

OPA + OPAL == 💜

While OPA (Open Policy Agent) decouples policy from code in a highly-performant and elegant way, the challenge of keeping policy agents up-to-date remains. This is especially true in applications, where each user interaction or API call may affect access-control decisions. OPAL runs in the background, supercharging policy-agents, keeping them in sync with events in realtime.

AWS Cedar + OPAL == 💪

Cedar is a very powerful policy language, which powers AWS' AVP (Amazon Verified Permissions) - but what if you want to enjoy the power of Cedar on another cloud, locally, or on premise? This is where Cedar-Agent and OPAL come in.

Documentation

curl -L https://raw.githubusercontent.com/permitio/opal/master/docker/docker-compose-example.yml \
> docker-compose.yml && docker-compose up


OPAL uses a client-server stateless architecture. OPAL-Servers publish policy and data updates over a lightweight (websocket) PubSub Channel, which OPAL-clients subscribe to via topics. Upon updates each client fetches data directly (from source) to load it in to its managed OPA instance.
simplified
📖   For further reading check out our [Blog](https://bit.ly/opal_blog).

Community

Come talk to us about OPAL, or authorization in general - we would love to hear from you ❤️

You can raise questions and ask for features to be added to the road-map in our Github discussions, report issues in Github issues, follow us on Twitter to get the latest OPAL updates, and join our Slack community to chat about authorization, open-source, realtime communication, tech, or anything else!

If you are using our project, please consider giving us a ⭐️

Button
Button

Contributing to OPAL

  • Pull requests are welcome! (please make sure to include passing tests and docs)
  • Prior to submitting a PR - open an issue on GitHub, or make sure your PR addresses an existing issue well.

There's more!

  • Check out OPToggles, which enables you to create user targeted feature flags/toggles based on Open Policy managed authorization rules!
  • Check out Cedar-Agent, the easiest way to deploy & run AWS Cedar.