How to allow/restrict external data push to OPA only for specific data

[Kamalakannangv]

Hi All,
When following option 4 to get external data, is there any authorization mechanism? We can set up OPA with authentication options like token or tls but is there any option to restrict the data updates only to a particular path or specific section of external data? In our case, there will be more than one system pushing data to OPA and we wanted to restrict these systems not to update/override other system’s data, so looking for something like
If input.identity is system1, allow it to update particular data and when input.identity is system2, it should be allowed to update different section of external data not the one updated by system1.

[srenatus]

You can have a system policy for authorization, see these docs. You can put anything into that policy, and it knows both the result of authentication (input.identity) and the request that's made (the rest of input).

If input.identity is system1, allow it to update particular data and when input.identity is system2, it should be allowed to update different section of external data not the one updated by system1.

Here's a sketch:

package system.authz

default allow := {
    "allowed": false,
    "reason": "unauthorized resource access"
}

allow := { "allowed": true } {
    input.identity == "system1"
    is_v1_data
    input.path[2] == "system1-stuff"
}

allow := { "allowed": true } {
    input.identity == "system2"
    is_v1_data
    input.path[2] == "system-2-stuff"
}

allow := { "allowed": false, "reason": reason } {
    not input.identity
    reason := "no identity provided"
}

is_v1_data {
    input.path[0] == "v1"
    input.path[1] == "data"
}

Now, this could of course become much more complex... 🎇

[Kamalakannangv]

Yes, data is supplied from multiple source but good thing is, path is not complex - each systems have their own path under /v1/data. Thanks again @srenatus for quickly providing clarification for my queries.