Open
Description
Current Behavior
I have followed the steps in the documentation to configure the OPA plugin.
And referenced this test case: opa.t re the correct format of the policy attribute (package and decision) for example: "organization/allow"
For example:
- name: provider-directory-api-organization-read
uri: /fhir/Organization*
methods: [ "GET" ]
upstream_id: 1
plugins:
opa:
host: "http://opa:8181"
with_route: true
policy: "organization/allow"
Sample policy:
package organization
import rego.v1
import input.request
result := {
"allow": true,
"reason": "request.method == GET",
} if {
request.method == "GET"
}
Sample output (as per the Rego Playground):
{
"result": {
"allow": true,
"reason": "request.method == GET"
}
}
OPA logs:
{
"addrs": [
"0.0.0.0:8181"
],
"diagnostic-addrs": [],
"level": "info",
"msg": "Initializing server.",
"time": "2025-06-24T05:21:29Z"
}
{
"level": "debug",
"msg": "Failed to determine uid/gid of process owner",
"time": "2025-06-24T05:21:29Z"
}
{
"level": "debug",
"msg": "maxprocs: Leaving GOMAXPROCS=8: CPU quota undefined",
"time": "2025-06-24T05:21:29Z"
}
{
"level": "info",
"msg": "Starting decision logger.",
"plugin": "decision_logs",
"time": "2025-06-24T05:21:29Z"
}
{
"headers": {
"Content-Type": [
"application/json"
],
"User-Agent": [
"Open Policy Agent/1.5.1 (linux, arm64)"
]
},
"level": "debug",
"method": "POST",
"msg": "Sending request.",
"time": "2025-06-24T05:21:29Z",
"url": "https://telemetry.openpolicyagent.org/v1/version"
}
{
"level": "debug",
"msg": "Server initialized.",
"time": "2025-06-24T05:21:29Z"
}
{
"headers": {
"Content-Length": [
"213"
],
"Content-Type": [
"application/json"
],
"Date": [
"Tue, 24 Jun 2025 05:21:30 GMT"
]
},
"level": "debug",
"method": "POST",
"msg": "Received response.",
"status": "200 OK",
"time": "2025-06-24T05:21:30Z",
"url": "https://telemetry.openpolicyagent.org/v1/version"
}
{
"current_version": "1.5.1",
"level": "debug",
"msg": "OPA is up to date.",
"time": "2025-06-24T05:21:30Z"
}
{
"client_addr": "172.18.0.4:58488",
"level": "info",
"msg": "Received request.",
"req_body": "package organization\n\nimport rego.v1\n\nimport input.request\n\nresult := {\n \"allow\": true,\n \"reason\": \"request.method == GET\",\n} if {\n\trequest.method == \"GET\"\n}",
"req_id": 1,
"req_method": "PUT",
"req_params": {},
"req_path": "/v1/policies/organization",
"time": "2025-06-24T05:21:31Z"
}
{
"client_addr": "172.18.0.4:58488",
"level": "info",
"msg": "Sent response.",
"req_id": 1,
"req_method": "PUT",
"req_path": "/v1/policies/organization",
"resp_body": "{}\n",
"resp_bytes": 3,
"resp_duration": 1.629667,
"resp_status": 200,
"time": "2025-06-24T05:21:31Z"
}
{
"client_addr": "172.19.0.4:37212",
"level": "info",
"msg": "Received request.",
"req_body": "{\"input\":{\"request\":{\"headers\":{\"content-type\":\"application/fhir+json\",\"authorization\":\"Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJMOFRkd19mLTRlUDJOVmZzMUVDbDJka0ZwNmFGbi1QR2xZZWlxb0FvSkowIn0.eyJleHAiOjE3NTA3NDI5MTIsImlhdCI6MTc1MDc0MjYxMiwianRpIjoidHJydGNjOmNjNTZmMDkzLWM0YzYtNDE1Mi1iNjJhLWNiYjMyMmVkZTMyZCIsImlzcyI6Imh0dHBzOi8va2V5Y2xvYWsuYXUubG9jYWxob3N0Ojg0NDMvcmVhbG1zL2hhcGktZmhpci1kZXYiLCJhdWQiOlsib2F1dGgyLXByb3h5IiwiYWNjb3VudCJdLCJzdWIiOiJkYTRmMDkxMi0xY2Q5LTQzMmQtOWM5ZC1hNTVkYjExMDkzZGUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYXV0aDItcHJveHkiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtaGFwaS1maGlyLWRldiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJvYXV0aDItcHJveHkiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBzeXN0ZW0vT3JnYW5pemF0aW9uLnJlYWQgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudEhvc3QiOiIxNzIuMTkuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW9hdXRoMi1wcm94eSIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTkuMC4xIiwiY2xpZW50X2lkIjoib2F1dGgyLXByb3h5In0.PDfn4oU3Dh0_vSi_-QCqTC8G918JoN37UL3DtL9kvpkTyHilyXgVm0mw9mH5X4Oxbl1kJnbe3DonOtlMDNztEZm1VAMAGxEJ5jCr0oU9E5BuL3eMXk1EfiyGlxN35jNcCR7r9qmwa0NPtfJmdk-mvljYQePtxT1BM95usHHYYdGqXgsy9Wo715Kd71JMeVQ_trlzLSNym6sQZUA-Y14Zo78zX9eAhrK90wmvniIHZblvGFOm9AA1oJRsnEa8k3Kk3KM1Z8zSLk8I9yFgkQXsAgWYFeu0pLEfiPtA-sv-TPHCAO9oORJtfcrRiGakUEHPFJVMLty4VQpwFhEWCrI_wQ\",\"user-agent\":\"curl/8.7.1\",\"accept\":\"*/*\",\"host\":\"provider-directory.au.localhost\"},\"query\":{\"_id\":\"adv-hearing-care\"},\"port\":9443,\"path\":\"/fhir/Organization\",\"scheme\":\"https\",\"method\":\"GET\",\"host\":\"provider-directory.au.localhost\"},\"route\":{\"name\":\"provider-directory-api-organization-read\",\"uri\":\"/fhir/Organization*\",\"plugins\":{\"opa\":{\"keepalive\":true,\"keepalive_timeout\":60000,\"policy\":\"organization/allow\",\"keepalive_pool\":5,\"host\":\"http://opa:8181\",\"ssl_verify\":false,\"with_service\":false,\"with_consumer\":false,\"timeout\":3000,\"with_route\":true}},\"upstream_id\":1,\"id\":\"routes#5\",\"status\":1,\"priority\":0,\"methods\":[\"GET\"]},\"var\":{\"server_addr\":\"172.19.0.4\",\"remote_addr\":\"172.19.0.1\",\"server_port\":\"9443\",\"remote_port\":\"59082\",\"timestamp\":1750742645},\"type\":\"http\"}}",
"req_id": 2,
"req_method": "POST",
"req_params": {},
"req_path": "/v1/data/organization/allow",
"time": "2025-06-24T05:24:05Z"
}
{
"decision_id": "19b8bced-cb28-4abd-9166-9ab7adb87776",
"input": {
"request": {
"headers": {
"accept": "*/*",
"authorization": "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJMOFRkd19mLTRlUDJOVmZzMUVDbDJka0ZwNmFGbi1QR2xZZWlxb0FvSkowIn0.eyJleHAiOjE3NTA3NDI5MTIsImlhdCI6MTc1MDc0MjYxMiwianRpIjoidHJydGNjOmNjNTZmMDkzLWM0YzYtNDE1Mi1iNjJhLWNiYjMyMmVkZTMyZCIsImlzcyI6Imh0dHBzOi8va2V5Y2xvYWsuYXUubG9jYWxob3N0Ojg0NDMvcmVhbG1zL2hhcGktZmhpci1kZXYiLCJhdWQiOlsib2F1dGgyLXByb3h5IiwiYWNjb3VudCJdLCJzdWIiOiJkYTRmMDkxMi0xY2Q5LTQzMmQtOWM5ZC1hNTVkYjExMDkzZGUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvYXV0aDItcHJveHkiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIioiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtaGFwaS1maGlyLWRldiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJvYXV0aDItcHJveHkiOnsicm9sZXMiOlsidW1hX3Byb3RlY3Rpb24iXX0sImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoicHJvZmlsZSBzeXN0ZW0vT3JnYW5pemF0aW9uLnJlYWQgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsImNsaWVudEhvc3QiOiIxNzIuMTkuMC4xIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2VydmljZS1hY2NvdW50LW9hdXRoMi1wcm94eSIsImNsaWVudEFkZHJlc3MiOiIxNzIuMTkuMC4xIiwiY2xpZW50X2lkIjoib2F1dGgyLXByb3h5In0.PDfn4oU3Dh0_vSi_-QCqTC8G918JoN37UL3DtL9kvpkTyHilyXgVm0mw9mH5X4Oxbl1kJnbe3DonOtlMDNztEZm1VAMAGxEJ5jCr0oU9E5BuL3eMXk1EfiyGlxN35jNcCR7r9qmwa0NPtfJmdk-mvljYQePtxT1BM95usHHYYdGqXgsy9Wo715Kd71JMeVQ_trlzLSNym6sQZUA-Y14Zo78zX9eAhrK90wmvniIHZblvGFOm9AA1oJRsnEa8k3Kk3KM1Z8zSLk8I9yFgkQXsAgWYFeu0pLEfiPtA-sv-TPHCAO9oORJtfcrRiGakUEHPFJVMLty4VQpwFhEWCrI_wQ",
"content-type": "application/fhir+json",
"host": "provider-directory.au.localhost",
"user-agent": "curl/8.7.1"
},
"host": "provider-directory.au.localhost",
"method": "GET",
"path": "/fhir/Organization",
"port": 9443,
"query": {
"_id": "adv-hearing-care"
},
"scheme": "https"
},
"route": {
"id": "routes#5",
"methods": [
"GET"
],
"name": "provider-directory-api-organization-read",
"plugins": {
"opa": {
"host": "http://opa:8181",
"keepalive": true,
"keepalive_pool": 5,
"keepalive_timeout": 60000,
"policy": "organization/allow",
"ssl_verify": false,
"timeout": 3000,
"with_consumer": false,
"with_route": true,
"with_service": false
}
},
"priority": 0,
"status": 1,
"upstream_id": 1,
"uri": "/fhir/Organization*"
},
"type": "http",
"var": {
"remote_addr": "172.19.0.1",
"remote_port": "59082",
"server_addr": "172.19.0.4",
"server_port": "9443",
"timestamp": 1750742645
}
},
"labels": {
"id": "a64fad56-c5b3-40d6-b6be-99cd3d80ff06",
"version": "1.5.1"
},
"level": "info",
"metrics": {
"counter_server_query_cache_hit": 0,
"timer_rego_external_resolve_ns": 333,
"timer_rego_input_parse_ns": 1168416,
"timer_rego_query_compile_ns": 467209,
"timer_rego_query_eval_ns": 170042,
"timer_server_handler_ns": 3302666
},
"msg": "Decision Log",
"path": "organization/allow",
"req_id": 2,
"requested_by": "172.19.0.4:37212",
"time": "2025-06-24T05:24:05Z",
"timestamp": "2025-06-24T05:24:05.829957844Z",
"type": "openpolicyagent.org/decision_logs"
}
{
"client_addr": "172.19.0.4:37212",
"level": "info",
"msg": "Sent response.",
"req_id": 2,
"req_method": "POST",
"req_path": "/v1/data/organization/allow",
"resp_body": "{\"decision_id\":\"19b8bced-cb28-4abd-9166-9ab7adb87776\"}\n",
"resp_bytes": 55,
"resp_duration": 6.655416,
"resp_status": 200,
"time": "2025-06-24T05:24:05Z"
}
Sample project: https://github.com/Robinyo/provider-directory
Expected Behavior
To evaluate the policy and allow access to the API endpoint.
Error Logs
172.19.0.1 - - [24/Jun/2025:05:23:53 +0000] provider-directory.au.localhost "PUT /fhir/Organization/adv-hearing-care HTTP/1.1" 201 429 0.478 "-" "PostmanRuntime/7.44.0" 172.19.0.8:8080 201 0.465 "http://provider-directory.au.localhost"
2025/06/24 05:24:05 [error] 33#33: *10905 [lua] opa.lua:115: phase_func(): invalid OPA decision format: {"decision_id":"19b8bced-cb28-4abd-9166-9ab7adb87776"}
err: `result` field does not exist, client: 172.19.0.1, server: _, request: "GET /fhir/Organization?_id=adv-hearing-care HTTP/2.0", host: "provider-directory.au.localhost"
2025/06/24 05:24:05 [warn] 33#33: *10905 [lua] plugin.lua:1210: run_plugin(): opa exits with http status code 503, client: 172.19.0.1, server: _, request: "GET /fhir/Organization?_id=adv-hearing-care HTTP/2.0", host: "provider-directory.au.localhost"
172.19.0.1 - - [24/Jun/2025:05:24:05 +0000] provider-directory.au.localhost "GET /fhir/Organization?_id=adv-hearing-care HTTP/2.0" 503 269 0.031 "-" "curl/8.7.1" - - - "http://provider-directory.au.localhost"
Steps to Reproduce
A sample project, see: https://github.com/Robinyo/provider-directory
Environment
- APISIX version - FROM apache/apisix:3.12.0-debian
- Operating system : Darwin Kernel Version 24.1.0: Thu Oct 10 21:05:14 PDT 2024; root:xnu-11215.41.3~2/RELEASE_ARM64_T8103 arm64
Metadata
Metadata
Assignees
Type
Projects
Status
📋 Backlog