diff --git a/cmd/config-current.go b/cmd/config-current.go index 8652505ff..01ff7df96 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -108,7 +108,7 @@ func initHelp() { }, config.HelpKV{ Key: config.PolicyOPASubSys, - Description: "[DEPRECATED] enable external OPA for policy enforcement", + Description: "enable external OPA for policy enforcement", }, config.HelpKV{ Key: config.APISubSys, diff --git a/docs/sts/opa.md b/docs/sts/opa.md new file mode 100644 index 000000000..64ab6f0a2 --- /dev/null +++ b/docs/sts/opa.md @@ -0,0 +1,82 @@ +# OPA Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) +OPA is a lightweight general-purpose policy engine that can be co-located with MinIO server, in this document we talk about how to use OPA HTTP API to authorize requests. It can be used with any type of credentials (STS based like OpenID or LDAP, regular IAM users or service accounts). + +## Get started + +### 1. Start OPA in a container + +```sh +podman run -it \ + --name opa \ + --publish 8181:8181 \ + docker.io/openpolicyagent/opa:0.40.0-rootless \ + run --server \ + --log-format=json-pretty \ + --log-level=debug \ + --set=decision_logs.console=true +``` + +### 2. Create a sample OPA Policy + +In another terminal, create a policy that allows root user all access and for all other users denies `PutObject`: +```sh +cat > example.rego <