OPA-PDP high level architecture

Software Architecture

OPA PDP Architecture

Figure 1. OPA PDP Architecture

  • KafkaListener/Producer: for topic:policy-pdp-pap, OPA PDP listens for incoming PDP_UPDATE and PDP_STATE_CHANGE messages from PAP. OPA PDP sends PDP_STATUS messages to PAP via Producer. for topic:opa-pdp-data, OPA PDP when scaled up during deployment, every opa instance will produce and listen to OPA_PDP_DATA_PATCH_SYNC messages.

  • OPA PDP Engine: The Go application that decodes base64 TOSCA policies and handles the deployment and undeployment of policies into the OPA SDK.

  • Msg Processor: Process incoming messages PDP_UPDATE, PDP_STATE_CHANGE, OPA_PDP_DATA_PATCH_SYNC for validation.

  • PDP STATE: Maintains PDP State Active or Passive.

  • Policy Map: In Memory Cache that holds the Map of names of policies,policy keys and data keys deployed.

  • Metrics: Handles statistics of number of policies deployed,success and failure counts and other metrics.

  • OPA SDK: An Open Source OPA Go library component that stores data and policies in memory and manages the policies.

  • REST Interface: Exposes APIs for decision-execution, dynamic data updates, fetch statistics, and health checks.

OPA PDP And PolicyFramework Interaction

OPA-PDP will handles all messages that PAP sends similar to other PDPs.Following are functionalities supported.

  • Registration

  • Handle PDP_UPDATE

  • Handle PDP_STATE_CHANGE

  • Send Heartbeat Messages

  • Deploy Policy

  • Undeploy Policy

Once OPA-PDP is up it will send “Registration”( PDP_STATUS) message to PAP.Some of the information included in the message are:

  • pdpType the type of the PDP opa .

  • pdpGroup to which the PDP should belong to opaGroup.

  • state the initial state of the PDP which is PASSIVE.

  • healthy whether the PDP is “HEALTHY” or not.

  • name a name that is unique to the PDP instance for e.g. opa-f849384c-dd78-4016-a7b5-1c660fb6ee0e

Regsitration Message
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "PASSIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Registration Message",
  "response": null,
  "policies": [],
  "name": "opa-4cd0a060-19bc-45ab-9955-7664d2b9604b",
  "requestId": "9c73856c-3d02-4236-838f-3d58ea5cc058",
  "pdpGroup": "opaGroup",
  "pdpSubgroup": null,
  "timestampMs": "1743010891210",
  "deploymentInstanceInfo": ""
}

Upon receiving the registration message PAP sends a PDP_UPDATE message along with the pdpHeartbeatIntervalMs, which specifies the time interval at which PDPs should send heartbeats to the PAP. The OPA-PDP starts a timer to send heartbeat messages periodically. Additionally, the OPA-PDP sends a PDP_STATUS response to the PDP_UPDATE message.

Example PDP_STATUS response to PDP_UPDATE
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "PASSIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Response Message For Pdp Update",
  "response": {
    "responseTo": "06f6d05f-6045-48d9-bcd8-40364fb695ae",
    "responseStatus": "SUCCESS",
    "responseMessage": "PDP Update was Successful"
  },
  "policies": null,
  "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
  "requestId": "e6a0607f-5fc8-4d62-afca-3cb984d827a3",
  "pdpGroup": "opaGroup",
  "pdpSubgroup": "opa",
  "timestampMs": "1731335550030",
  "deploymentInstanceInfo":""
}

PAP sends a PDP_STATE_CHANGE message to change the state of PDPs from PASSIVE to ACTIVE. After registration, PAP makes a PDP ACTIVE by default. OPA-PDP handles the state change, updates its state accordingly, and sends a PDP_STATUS response. When a PDP becomes ACTIVE .In the ACTIVE state, OPA-PDP is ready to receive decision requests.

Example PDP_STATUS response to PDP_STATE_CHANGE
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "ACTIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Response Message to Pdp State Change",
  "response": {
    "responseTo": "3edbb47c-b015-4fd9-9572-26cde97cc23c",
    "responseStatus": "SUCCESS",
    "responseMessage": "PDP State Changed From PASSIVE TO Active"
  },
  "policies": null,
  "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
  "requestId": "02b186a6-485d-4392-90fa-d4cac34be97a",
  "pdpGroup": "opaGroup",
  "pdpSubgroup": "opa",
  "timestampMs": "1731335550069"
}

Deploy OPA policy

After receiving the PDP_UPDATE message to deploy policies on Kafka, the OPA PDP will perform the following steps:

  • Parse the message

  • Extract policy

  • Perform base64 decoding

  • Validate Rego syntax of decoded policy

  • validate json format of decoded policy

  • validate constraints

Note

  • Policy key should start with policyname.

  • Datakey should start with node.policyname.

  • The package name in rego file and policy key should be same.

  • Policy naming rules are validated.

UnDeploy OPA policy

After receiving the PDP_UPDATE message to undeploy policies on Kafka, the OPA PDP will perform the following steps:

  • Parse the message

  • Check policy exists

  • Remove data from OPA SDK

  • Remove policy from OPA SDK