At Altia, we have designed several programmes for people who are finishing their degrees and recent graduates to start out in the IT sector, bringing their talent and passion for technology. One of these programmes is Hunters: trailblazers who love to follow trends and want to help anticipate future challenges. Being a Hunter means being part of a diverse group that generates and transfers knowledge. We share some of this knowledge through these articles on the latest in tech: today’s is about Open Policy Agent.

Open Policy Agent, or OPA (pronounced oh-pa), is an open source general-purpose policy engine based on scripts written in Rego, a high-level declarative language that can be used in microservices, Kubernetes, CI/CD pipelines... A policy is a set of rules that govern the behaviour of a software service, especially for authorisation purposes.

How OPA works

OPA is used to decouple policy decision-making from its enforcement in the following way:

• When a service receives a request and needs to make a decision, it queries OPA, providing it with the necessary data.
• OPA launches defined policies to make a decision based on the data.
• It returns a result that the service will receive, handling it accordingly.

Both OPA and Rego, the language in which the policies are written, are domain-agnostic so you can use this tool in an infinite number of scenarios. For example, it can determine:

• Which user can access which resources.
• Which subnets egress traffic is allowed to.
• Which times a certain system can be accessed.
• Etc.

Figure 1: General diagram of how OPA works

How can we integrate with OPA?

Integrating with OPA can be done in three different ways:

• REST API: Returns a JSON object without a defined structure, depending on the policy and the decision taken.
• GO API: Returns decisions based on simple Go types (bool, string, map|LS|string|RS|...).
• WebAssembly (WASM): Portable binary code format (bytecode) used to run fully in the browser. It is a low-level language, initially designed as a target format for compilation from C and C++, though it also supports source code from other languages, such as Rust and Go.

OPA at the European Patent Office

The EPO (European Patent Office) has very strong privacy restrictions, even to the extent that not all users have access the same information on a given patent.

Its users are organised in groups, called Directorate Groups (DGs). Examiners, who analyse patent applications to determine whether or not something similar already exists, can make notes on documents that have already been digitised. These notes are not visible to all users equally, and which ones they have access to depends on whether they are part of a particular DG.

Want to know more about Hunters?

A Hunter rises to the challenge of trying out new solutions, delivering results that make a difference. Join the Hunters programme and become part of a diverse group that generates and transfers knowledge. Anticipate the digital solutions that will help us grow.

Find out more about Hunters on our website.

José Luis Antón Bueso

Solution Architect at Altia