search

apache / dubbo-go-pixiu

Based on the proxy gateway service of dubbo-go, it solves the problem that the external protocol calls the internal Dubbo cluster. At present, it supports HTTP and gRPC[developing].
https://dubbogo.github.io/dubbo-go-proxy/
Apache License 2.0
488 stars 154 forks source link

feature: support http filter plugins (Open Policy Agent) #605

Open baerwang opened 10 months ago

baerwang commented 10 months ago

What does pixiu need to do with OPA ?

It supports a variety of strategies, such as JWT, and the OPA module supports it comprehensively

PIxiu needs to be implemented in two ways (Choose one of the two)

introduce

https://www.openpolicyagent.org/

Directions for use

start opa server

docker run -d --name opa -p 8181:8181 openpolicyagent/opa:latest run -s

Create opa pollicy

curl -X PUT '127.0.0.1:8181/v1/policies/example1' \
  -H 'Content-Type: text/plain' \
  -d 'package example1

import input.request

default allow = false

allow {
    # HTTP method must GET
    request.method == "GET"
}'

Query policy

curl -X POST '127.0.0.1:8181/v1/data/example1/allow' \
  -H 'Content-Type: application/json' \
  -d '{"input":{"request":{"method":"GET"}}}'

OPA rules

package main

import (
    "context"

    "github.com/open-policy-agent/opa/rego"
)

func main() {
    mod := `
    package test
    import future.keywords.if

    default allow := false

    allow if {
        input.x == 1
    }
    `

    pq, err := rego.New(
        rego.Query("data.test.allow"),
        rego.Module("test.rego", mod),
        rego.Input(map[string]interface{}{"x": 1})).PrepareForEval(context.Background())
    if err != nil {
        panic(err)
    }

    result, err := pq.Eval(context.Background())
    if err != nil {
        panic(err)
    }
    print(result.Allowed())
}