test1

docker-compose.yml

@@ -0,0 +1,10 @@
+version: "3.8"
+services:
+  opa:
+    image: openpolicyagent/opa:latest
+    container_name: opa
+    command: run --server --log-level debug --addr=0.0.0.0:8181 --bundle /bundle
+    ports:
+      - "8181:8181"
+    volumes:
+      - ./opa:/bundle

opa/app/rbac/policy.rego

@@ -0,0 +1,30 @@
+package app.rbac
+
+# By default, deny requests.
+default allow := false
+
+# Allow admins to do anything.
+allow if user_is_admin
+
+# Allow the action if the user is granted permission to perform the action.
+allow if {
+	# Find grants for the user.
+	some grant in user_is_granted
+
+	# Check if the grant permits the action.
+	input.action == grant.action
+	input.type == grant.type
+}
+
+# user_is_admin is true if "admin" is among the user's roles as per data.user_roles
+user_is_admin if "admin" in data.user_roles[input.user]
+
+# user_is_granted is a set of grants for the user identified in the request.
+# The `grant` will be contained if the set `user_is_granted` for every...
+user_is_granted contains grant if {
+	# `role` assigned an element of the user_roles for this user...
+	some role in data.user_roles[input.user]
+
+	# `grant` assigned a single grant from the grants list for 'role'...
+	some grant in data.role_grants[role]
+}

opa/data.json

@@ -0,0 +1,20 @@
+{
+  "user_roles": {
+    "alice": ["admin", "developer"],
+    "bob": ["developer"],
+    "charlie": ["guest"]
+  },
+  "role_grants": {
+    "admin": [
+      {"action": "read", "type": "any"},
+      {"action": "write", "type": "any"}
+    ],
+    "developer": [
+      {"action": "read", "type": "code"},
+      {"action": "write", "type": "code"}
+    ],
+    "guest": [
+      {"action": "read", "type": "docs"}
+    ]
+  }
+}