OPA Deployment Archtectural Decisions #639
Replies: 4 comments 7 replies
-
Hi there @humbertoc-silva, this is a great question and it'd be good to have some more content on this topic in the OPA docs for sure. The pros to this approach are:
The cons to this approach are:
|
Beta Was this translation helpful? Give feedback.
-
Adding to Charlie's great summary:
OPA does not provide any type of isolation between policies loaded on the same instance. So any policy can at least by default get any data from any system, query any rule or package, and so on. You could probably prevent most of this with compile time checks that make sure that doesn't happen, e.g. have custom Regal rules to determine that no reference in |
Beta Was this translation helpful? Give feedback.
-
Hi @charlieegan3 and @anderseknert, thank you for the contribution. I agree with the pros, but related to the high volume of data, imagine if we have one OPA container instance (enterprise or open) with 1GB of data and we scale out to 10 containers, here is my first point, OPA doesn't share a common cache and at the final we will have 10GB of duplicated data. The solution could be to deploy a cache layer and turn off About the cons, I agree too, latency, point of failure, and traffic security are all things that are difficult to handle and support. But here I have a question for you. Does OPA was designed to support hundred of thousands of policies and rules in the same instance? Why do I ask this? I did a test loading 10K, 50K, and 100k simple ABAC-based rules like the following example:
OPA wasn't able to load 50k+ rules like those. I waited minutes but the container didn't start. So the volume of rules in a centralized OPA could be a problem? Good point about policy isolation, I didn't think about that, and this can be a factor in deciding to run certain policies in different OPA instances. To finish, maybe it could be interesting to establish a template or some rules about the way people will write their policies because we can have poor policies that will affect the entire system's performance. |
Beta Was this translation helpful? Give feedback.
-
Hi guys, I put my code inside a Git repository to share with you. Let me know if the problem is on my machine or if I made a mistake when creating and loading the policy into OPA that caused the problem. With few rules, OPA loads the policy very fast, but with 50.000 it takes minutes here. I put some instructions on README.md but feel free to ask me about anything. Thank you! |
Beta Was this translation helpful? Give feedback.
-
Hi, OPA community,
I have a topic related to deployment architectural decisions to discuss with you. I see orientations on OPA docs to deploy it as a sidecar container, to use it inside services through the Go module or SDK, and in some situations to use the OPA binary too. All these options make me think that the main way to deploy OPA is as a component distributed throughout the stack.
But did anyone think deploying OPA as a centralized authorization service? What would be the pros and cons of using OPA this way?
I know that, as always, it depends, so to help with this, I will describe an environment that we can use as a background to our discussion:
I have an opinion but I would like to hear your experiences before sharing my own.
Beta Was this translation helpful? Give feedback.
All reactions