Use Open Policy Agent with Apigee hybrid to perform API Authorization. Learn more about Open Policy Agent here and about Apigee hybrid here.

An inventory service is deployed in your Kubernetes cluster. You want to allow users with role admin access to HTTP methods GET and POST (i.e., get, list and create). However, users with role user only have access to the HTTP method GET (i.e., get and list)

In this scenario, OPA is a Policy Decision Point (also known as a PDP which is a component or rules engine that returns true | false based on a set of inputs applied on a rule) and the Apigee hybrid gateway is a Policy Enforcement Point (also known as a PEP which is a component or process that enforces decisions made by a PDP)

Create a file called policy.rego. This policy define two roles and authorizes each role to a set of http methods. The role is conveyed to the rules engine in a JWT claim

package httpapi.authz

# HTTP API request
import input

# Define admin permissions
admin_roles = ["admin", ]
admin_methods = ["GET", "POST", ]

# Define user permissions
user_roles = ["admin","user", ]
user_methods = ["GET", ]

default allow = false

# Allow any app to get inventory
allow {
  input.method == user_methods[_]
  input.path = ["/opa/items"]
  token.payload.role == user_roles[_]
}

# Allow only admin apps to create inventory
allow {
  input.method == admin_methods[_]
  input.path = ["/opa/items"]
  token.payload.role == admin_roles[_]
}

# Helper to get the token payload.
token = {"payload": payload} {
  [header, payload, signature] := io.jwt.decode(input.token)
}

Deploy OPA server to Kubernetes manifest

kubectl apply -f open-policy-agent.yaml -n apps

Deploy a token generation API proxy to Apigee hyrid

Deploy the sample inventory API proxy to Apigee hyrid

Create developer applications with a custom attribute called role. Set the user role on the app

NOTE: Typically the user role is defined in the IdP. This example does not use an IdP.