opa-ams

command module

v0.0.0-...-22b873f Latest Latest Go to latest Published: Mar 29, 2023 License: Apache-2.0 Imports: 37 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/observatorium/opa-ams

Links

Open Source Insights

README ¶

OPA-AMS

opa-ams provides an Open Policy Agent (OPA) -compatible API for making access review requests against the OpenShift Account Management System (AMS) API.

API

POST /v1/data/{package}/{rule}

The opa-ams HTTP server exposes a single endpoint of the OPA Data API and fullfills requests by translating them into AMS access reviews. This endpoint expects an OPA Input Document in the body of the request with the following structure:

{
    "input": {
        "groups": ["string"],
        "permission": "string",
        "resource": "string",
        "subject": "string",
        "tenant": "string"
    }
}

It returns a response with the following structure:

{
    "result": boolean
}

Usage

Usage of ./opa-ams:
      --ams.mappings strings          A list of comma-separated mappings from Observatorium tenants to AMS organization IDs, e.g. foo=bar,x=y
      --ams.mappings-path string      A path to a JSON file containing a map from Observatorium tenants to AMS organization IDs.
      --ams.url string                An AMS URL against which to authorize client requests.
      --debug.name string             A name to add as a prefix to log lines. (default "opa-ams")
      --log.format string             The log format to use. Options: 'logfmt', 'json'. (default "logfmt")
      --log.level string              The log filtering level. Options: 'error', 'warn', 'info', 'debug'. (default "info")
      --memcached strings             One or more Memcached server addresses.
      --memcached.expire int32        Time after which keys stored in Memcached should expire, given in seconds. (default 3600)
      --memcached.interval int32      The interval at which to update the Memcached DNS, given in seconds; use 0 to disable. (default 10)
      --oidc.audience string          The audience for whom the access token is intended, see https://openid.net/specs/openid-connect-core-1_0.html#IDToken.
      --oidc.client-id string         The OIDC client ID, see https://tools.ietf.org/html/rfc6749#section-2.3.
      --oidc.client-secret string     The OIDC client secret, see https://tools.ietf.org/html/rfc6749#section-2.3.
      --oidc.issuer-url string        The OIDC issuer URL, see https://openid.net/specs/openid-connect-discovery-1_0.html#IssuerDiscovery.
      --opa.package string            The name of the OPA package that opa-ams should implement, see https://www.openpolicyagent.org/docs/latest/policy-language/#packages.
      --opa.rule string               The name of the OPA rule for which opa-ams should provide a result, see https://www.openpolicyagent.org/docs/latest/policy-language/#rules. (default "allow")
      --resource-type-prefix string   A prefix to add to the resource name in AMS access review requests.
      --web.internal.listen string    The address on which the internal server listens. (default ":8081")
      --web.listen string             The address on which the public server listens. (default ":8080")

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
ams
test
mock

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL