This directory contains example configuration and policy files for opa-authzen-plugin.
config.yaml— OPA configuration with the AuthZEN plugin enabledpolicy.rego— Example Rego policy for AuthZEN evaluation
./opa-authzen-plugin run --server --config-file example/config.yaml example/policy.rego# Admin role — should be allowed
curl -s -X POST http://localhost:8181/access/v1/evaluation \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "alice", "properties": {"role": "admin"}},
"resource": {"type": "document", "id": "doc-123"},
"action": {"name": "delete"}
}'
# → {"decision":true}
# Read access for authenticated user — should be allowed
curl -s -X POST http://localhost:8181/access/v1/evaluation \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "bob"},
"resource": {"type": "document", "id": "doc-123"},
"action": {"name": "read"}
}'
# → {"decision":true}
# Non-admin write — should be denied
curl -s -X POST http://localhost:8181/access/v1/evaluation \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "bob"},
"resource": {"type": "document", "id": "doc-123"},
"action": {"name": "write"}
}'
# → {"decision":false}curl -s -X POST http://localhost:8181/access/v1/evaluation \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "bob"},
"resource": {"type": "office", "id": "building-a"},
"action": {"name": "access"},
"context": {"business_hours": true}
}'
# → {"decision":true}Top-level fields act as defaults; individual items override them.
curl -s -X POST http://localhost:8181/access/v1/evaluations \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "alice", "properties": {"role": "admin"}},
"action": {"name": "read"},
"evaluations": [
{"resource": {"type": "document", "id": "doc-1"}},
{"resource": {"type": "document", "id": "doc-2"}},
{"action": {"name": "delete"}, "resource": {"type": "document", "id": "doc-3"}}
]
}'
# → {"evaluations":[{"decision":true},{"decision":true},{"decision":true}]}curl -s -X POST http://localhost:8181/access/v1/evaluations \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "bob"},
"action": {"name": "read"},
"options": {"evaluations_semantic": "deny_on_first_deny"},
"evaluations": [
{"resource": {"type": "document", "id": "doc-1"}},
{"action": {"name": "delete"}, "resource": {"type": "document", "id": "doc-2"}},
{"resource": {"type": "document", "id": "doc-3"}}
]
}'
# Second evaluation (delete by non-admin) is denied → stops.
# Third evaluation is never executed.curl -s -X POST http://localhost:8181/access/v1/evaluations \
-H "Content-Type: application/json" \
-d '{
"subject": {"type": "user", "id": "bob"},
"options": {"evaluations_semantic": "permit_on_first_permit"},
"evaluations": [
{"action": {"name": "delete"}, "resource": {"type": "document", "id": "doc-1"}},
{"action": {"name": "read"}, "resource": {"type": "document", "id": "doc-2"}},
{"action": {"name": "delete"}, "resource": {"type": "document", "id": "doc-3"}}
]
}'
# First evaluation (delete by non-admin) is denied.
# Second evaluation (read) is permitted → stops.
# Third evaluation is never executed.curl -s -X POST http://localhost:8181/access/v1/evaluation \
-H "Content-Type: application/json" \
-H "X-Request-ID: my-trace-id-123" \
-d '{
"subject": {"type": "user", "id": "alice", "properties": {"role": "admin"}},
"resource": {"type": "document", "id": "doc-1"},
"action": {"name": "read"}
}' -D -
# Response includes: X-Request-ID: my-trace-id-123curl -s http://localhost:8181/.well-known/authzen-configuration | jq .
# → {
# "policy_decision_point": "http://localhost:8181",
# "access_evaluation_endpoint": "http://localhost:8181/access/v1/evaluation",
# "access_evaluations_endpoint": "http://localhost:8181/access/v1/evaluations"
# }