From 2b7e75e07945560de875a4eaefe1f71e4e135845 Mon Sep 17 00:00:00 2001 From: Aditya Manthramurthy Date: Wed, 4 May 2022 23:53:42 -0700 Subject: [PATCH] Add OPA doc and remove deprecation marking (#14863) --- cmd/config-current.go | 2 +- docs/sts/opa.md | 82 ++++++++++++++++++++++++++++++ internal/config/policy/opa/help.go | 4 +- 3 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 docs/sts/opa.md diff --git a/cmd/config-current.go b/cmd/config-current.go index 8652505ff..01ff7df96 100644 --- a/cmd/config-current.go +++ b/cmd/config-current.go @@ -108,7 +108,7 @@ func initHelp() { }, config.HelpKV{ Key: config.PolicyOPASubSys, - Description: "[DEPRECATED] enable external OPA for policy enforcement", + Description: "enable external OPA for policy enforcement", }, config.HelpKV{ Key: config.APISubSys, diff --git a/docs/sts/opa.md b/docs/sts/opa.md new file mode 100644 index 000000000..64ab6f0a2 --- /dev/null +++ b/docs/sts/opa.md @@ -0,0 +1,82 @@ +# OPA Quickstart Guide [![Slack](https://slack.minio.io/slack?type=svg)](https://slack.minio.io) +OPA is a lightweight general-purpose policy engine that can be co-located with MinIO server, in this document we talk about how to use OPA HTTP API to authorize requests. It can be used with any type of credentials (STS based like OpenID or LDAP, regular IAM users or service accounts). + +## Get started + +### 1. Start OPA in a container + +```sh +podman run -it \ + --name opa \ + --publish 8181:8181 \ + docker.io/openpolicyagent/opa:0.40.0-rootless \ + run --server \ + --log-format=json-pretty \ + --log-level=debug \ + --set=decision_logs.console=true +``` + +### 2. Create a sample OPA Policy + +In another terminal, create a policy that allows root user all access and for all other users denies `PutObject`: +```sh +cat > example.rego <