https://github.com/observatorium/opa-ams

an OPA-compatible API for making OpenShift AMS access review requests
https://github.com/observatorium/opa-ams

Last synced: 4 months ago
JSON representation

an OPA-compatible API for making OpenShift AMS access review requests

• Host: GitHub
• URL: https://github.com/observatorium/opa-ams
• Owner: observatorium
• License: apache-2.0
• Created: 2020-10-01T16:58:47.000Z (over 5 years ago)
• Default Branch: master
• Last Pushed: 2025-12-17T14:09:36.000Z (6 months ago)
• Last Synced: 2025-12-19T23:53:25.508Z (6 months ago)
• Language: Go
• Size: 9.28 MB
• Stars: 5
• Watchers: 2
• Forks: 5
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# OPA-AMS

[![CircleCI](https://circleci.com/gh/observatorium/opa-ams.svg?style=svg)](https://circleci.com/gh/observatorium/opa-ams) [![Go Report Card](https://goreportcard.com/badge/github.com/observatorium/opa-ams)](https://goreportcard.com/report/github.com/observatorium/opa-ams)

`opa-ams` provides an Open Policy Agent (OPA) -compatible API for making access review requests against the OpenShift Account Management System (AMS) API.

## API

### POST /v1/data/{package}/{rule}

The `opa-ams` HTTP server exposes a single endpoint of the [OPA Data API](https://www.openpolicyagent.org/docs/latest/rest-api/#data-api) and fullfills requests by translating them into [AMS access reviews](https://api.openshift.com/?urls.primaryName=Accounts%20management%20service#/default/post_api_authorizations_v1_access_review). This endpoint expects an OPA [Input Document](https://www.openpolicyagent.org/docs/latest/kubernetes-primer/#input-document) in the body of the request with the following structure:

```json

{

    "input": {

        "groups": ["string"],

        "permission": "string",

        "resource": "string",

        "subject": "string",

        "tenant": "string"

    }

}

```

It returns a response with the following structure:

```json

{

    "result": boolean

}

```

## Usage

```txt mdox-exec="./opa-ams --help" mdox-expect-exit-code=2

Usage of ./opa-ams:

      --ams.mappings strings                       A list of comma-separated mappings from Observatorium tenants to AMS organization IDs, e.g. foo=bar,x=y

      --ams.mappings-path string                   A path to a JSON file containing a map from Observatorium tenants to AMS organization IDs.

      --ams.url string                             An AMS URL against which to authorize client requests.

      --debug.name string                          A name to add as a prefix to log lines. (default "opa-ams")

      --internal.tracing.endpoint string           The full URL of the trace agent or collector. If it's not set, tracing will be disabled.

      --internal.tracing.endpoint-type string      The tracing endpoint type. Options: 'agent', 'collector'. (default "agent")

      --internal.tracing.sampling-fraction float   The fraction of traces to sample. Thus, if you set this to .5, half of traces will be sampled. (default 0.1)

      --internal.tracing.service-name string       The service name to report to the tracing backend. (default "opa-ams")

      --log.format string                          The log format to use. Options: 'logfmt', 'json'. (default "logfmt")

      --log.level string                           The log filtering level. Options: 'error', 'warn', 'info', 'debug'. (default "info")

      --memcached strings                          One or more Memcached server addresses.

      --memcached.expire int32                     Time after which keys stored in Memcached should expire, given in seconds. (default 3600)

      --memcached.interval int32                   The interval at which to update the Memcached DNS, given in seconds; use 0 to disable. (default 10)

      --oidc.audience string                       The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.

      --oidc.client-id string                      The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.

      --oidc.client-secret string                  The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.

      --oidc.issuer-url string                     The OIDC issuer URL, see https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery.

      --opa.package string                         The name of the OPA package that opa-ams should implement, see https://www.openpolicyagent.org/docs/latest/policy-language/#packages.

      --opa.rule string                            The name of the OPA rule for which opa-ams should provide a result, see https://www.openpolicyagent.org/docs/latest/policy-language/#rules. (default "allow")

      --resource-type-prefix string                A prefix to add to the resource name in AMS access review requests.

      --web.healthchecks.url string                The URL against which to run healthchecks. (default "http://localhost:8080")

      --web.internal.listen string                 The address on which the internal server listens. (default ":8081")

      --web.listen string                          The address on which the public server listens. (default ":8080")

pflag: help requested

```