OPA v1 is Almost Out! Here’s What You Need to Know
- Share:
What is OPA?
OPA (Open Policy Agent) is an open-source multi-purpose policy engine that unifies policy enforcement across your stack. It provides a high-level declarative language (Rego) that lets you specify policy as code and simple APIs - offloading policy decision-making from your software.
OPA has many uses, allowing you to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more. This also makes OPA a very popular solution for controlling access to systems and resources, as it allows us to separate policy logic from application code—a best practice in authorization architecture.
Already in use by tech giants like Netflix, Tesla, Reddit, and Walmart, OPA is quite a long-standing project, celebrating its 8th anniversary last December. With 5000+ commits from more than 400 contributors, the team behind just announced OPA v1.0.
The new version brings many changes in the form of deprecations, cleanup, and utilities, contributing to a better developer experience when using OPA and Rego for authorization.
What changed?
OPA v1 follows a broader trend we have been seeing in the authorization space in the last couple of years, with an ever-growing focus on accessibility, usability, and a shift-left approach to security.
For years, traditional approaches to authorization involved convoluted workflows, arcane syntax, and ridiculously steep learning curves, leading to frustration and inefficiency for both users and developers.
As the IAM space embraces a user-centric mindset and prioritizes developer-friendly interfaces, OPA v1 is no different - It features many quality-of-life improvements that make Rego (sometimes notorious for its complexity) much cleaner, accessible, and easy to understand.
Before we get into all the changes:
- A complete recap of all the new changes made to OPA is available in this awesome blog by Anders Eknert
- The official changelog for OPA V1 is available in the OPA Docs
What’s new in OPA v1?
Deprecations and cleanup
As mentioned before, the main focus of this update seems to be focused on making Rego easier to read and write. This is partly due to the depreciation of many cumbersome features:
import future.keywords.{x}
(x beingin
,every
,if
, andcontains
) is no longer relevant, as all keywords are now made available everywhere, making the code much cleaner.- Rules must now include the
if
keyword - Instead of:
allow {
"admin" in user.roles
}
if
is expressed as a one-liner (no curly brackets), making it much easier to read:
allow if "admin" in user.roles
Using only one line of code for a rule with one condition makes the code much easier to understand, resulting in less boilerplate to write.
Partial rules / Multi-value rules must now include the
contains
keyword, making the code easier to read & understand. For example -Instead of
user_grants[grant]
, we’ll now writeuser_grants contains grant
input
&data
are now ( Finally !! ) reserved and are prohibited as identifiers, helping prevent weird bugs.OPA server will now bind to
localhost
instead of0.0.0.0
by default, which is a better practice and a more secure default.We can also see a bunch of functions have now been deprecated. These include:
any
,all
,re_match
,net.cidr_overlap
,set_diff
,cast_array
,cast_set
,cast_string
,cast_boolean
,cast_null
, andcast_object
Utilities
A number of quality-of-life utilities were also added in this version. Most of these are focused on a quick and seamless transition from your existing version of OPA into v1 without too much hassle. These include:
opa fmt --rego-v1
allows you to easily transition from versions as old as OPA v0.59.0 to v1 compliance.opa check --rego-v1
will verify that your rules are compatible with v1, avoiding duplicate imports and any other compatibility changes.import rego.v1
can help you make sure that your code is compatible with v1, replacingfuture.keywords
. This will make OPA behave as if it is a v1 file without the need to adapt your existing policies to the new format mentioned above.- A
--v1-compatible
flag is added to all commands to make OPA “behave” as it is in v1, which really aids with an easy transition process. - If you're looking for backward compatibility, a new flag,
--v0-compatible
, will be added to the OPA CLI. Similar functionality will also be added to OPA’s Go SDK, Go API, and build command.
What does this mean for OPAL?
TL;DR - Not much 😅
As you might already know, OPAL (Open Policy Administration Layer) is an open-source administration layer for Policy Engines such as Open Policy Agent (OPA), and AWS' Cedar Agent. OPAL automates the synchronization between the policy store and the real-time data needed for policy decisions, ensuring that policies are always evaluated with the most up-to-date information.
OPAL is simply a synchronization system and was built to be policy-engine agnostic. Thus, it is able to run with OPA v1 seamlessly. Keep in mind that if you are using OPAL, you will have to make your policy compatible with v1 before changing to v1.
What does this mean for Permit?
Permit is also policy-engine agnostic, generating policy as code in the language of your choice, whether it be Rego or AWS’ Cedar. The engineers here at Permit will have to migrate the policy we generate. Luckily, as we saw, that’s an easy task to achieve considering all the wonderful tools OPA provided us to do so effortlessly. This means we can simply execute opa fmt --rego-v1
on our already generated environments, changing our code generation to the new syntax.
On a more personal note, we’re really thrilled to see the folks from OPA putting effort into making OPA more approachable and developer-friendly. It makes us feel proud to have chosen them as the first policy engine to support with Permit. We believe this approach will give developers the confidence to use OPA for their IAM needs further, allowing them to better follow authorization best practices and build applications that are more secure than ever before.
The future of OPA
As OPA advances towards v1, these changes signify an important moment in the evolution of the authorization space. With a focus on enhancing readability, streamlining syntax, and bolstering security, OPA is playing an important role in redefining the landscape of policy management and enforcement - making it more accessible and user-friendly than ever before.
Written by
Daniel Bass
Application authorization enthusiast with years of experience as a customer engineer, technical writing, and open-source community advocacy. Comunity Manager, Dev. Convention Extrovert and Meme Enthusiast.