Scaling Open Policy Agent: Styra DAS vs. DIY OPA
Danny Baier
May 19, 2022
Enterprises are shifting rapidly to the cloud in order to increase scalability, improve efficiency and lower their costs. In the process, every company has become a software company — constantly building and updating new software — while the cloud has radically transformed how software is built. Oftentimes, the modern cloud-native application will be made up of several (or hundreds of) microservices, while being hosted on dynamic scaling platforms like Kubernetes. With Kubernetes, enterprises have been able to adapt quickly to the cloud, and push themselves higher than ever before.
However, with an uptick in scale and complexity comes a similar rise in threat. With more and more users, requests, microservices and more moving through one’s infrastructure at any given time, there comes a need for unified authorization across every layer of the cloud-native stack. While legacy solutions to authorization were useful in their time, they are no longer flexible enough nor powerful enough to keep up with the demands of cloud scalability. As such, we at Styra created Open Policy Agent (OPA), a tool used to help enterprises shift to the cloud and manage in a unified way across the entire stack. For a good primer on OPA, see our blog, Open Policy Agent 101: a Beginner’s Guide.
Open Policy Agent (OPA)
If you are unfamiliar with OPA, it is an open-source policy engine which decouples policy decision-making from enforcement. Thanks to its unique, declarative policy language, Rego, developers are able to unify their policy, without having to build special functions for authorization requests to and from every unique system in their entire cloud-native stack. OPA has been used in countless manners, with integrations into the aforementioned Kubernetes, as well as with third party services such as Envoy, Kong Gateway, Istio, Terraform and much more.
But practically speaking, OPA was designed for a single developer or team to solve their policy problems — not necessarily an entire enterprise. As such, as OPA grows within an organization — across teams and use cases — enterprises will inevitably need a unified structure to keep pace at scale. This can leave teams overburdened by a sea of OPAs, each needing hands-on service as often as possible. From there, enterprises have a choice: adopt Styra Declarative Authorization Service (DAS), which can operationalize OPA across an entire enterprise on a unified platform, or build a method from scratch, suited for the specific needs of said enterprise. While building a personalized DIY approach can seem appealing — in a “free puppies” kind of way — Styra DAS can help teams rapidly operationalize OPA, without spending time and resources needed to integrate tools and build from scratch.
DIY vs. Styra DAS: Which Do I Choose?
As enterprise teams grow OPA within the organization, they should plan earlier, rather than later, around how they will manage OPA at scale. Towards this effort, are a number of factors they will need to keep in mind. The first is that, with a homegrown or DIY architecture, teams will inevitably need to “own” and maintain an OPA control plane as OPA scales, while becoming the primary responsibility-holders and points of contact for authorization in the enterprise. For many, this is a significant responsibility, given that they will need to answer for policy-related security and regulatory compliance concerns.
Beyond this, a number of practical factors come into play:
- Design. Teams must gather internal requirements and design a comprehensive management architecture around their OPA use case(s).
- Integrations. While a number of technology integrations exist in the OPA community, it’s not uncommon for teams to have to build bespoke integrations themselves.
- Security. How will you securely configure OPA for service-to-OPA integrations and management APIs, for not just current but future use cases?
- Versioning. How will you keep OPA up to date with new releases, integrations and functionality for underlying services?
- Control. Teams will need to build the plumbing between each of their OPA connections, which ideally includes functionality for visibility into policy deployments, governance and data fetching.
- Adoption. How will you handle factors like new joiners to OPA, policy authoring and collaboration, policy rollouts and, necessarily, leavers — to ensure that policy-based authorization remains supported over its lifecycle in your organization?
- Time. Of course, perhaps the most critical factor is the simple time it takes to get a DIY solution up and running, as well as maintained.
Below is a chart that summarizes these challenges in reference to Styra DAS and DIY solutions. Rather than an attempt to pitch Styra DAS as the “obvious choice,” this blog (and chart) seeks to provide users in the OPA in the community, who frequently research these questions, with clear and useful information surrounding the choices they will have to make as they scale policy as code within their organization. Indeed, the majority of the functionality offered by Styra DAS in this example is available in its free forever tier.
| Scaling Factors | Styra DAS | DIY |
| Design | Pre-built environment | Start from scratch |
| Integrations | 9+ pre-built integrations | Open-source solutions |
| Security | OOTB Configurations | Hands-on configuration |
| Versioning | Keeps OPA up to date | Manual updates |
| Control | Single pane of glass | One-by-one adjustments |
| Impact Analysis | Test policies before deployment | Custom testing |
| Adoption | Easy for anyone to pick up | Devs need to learn Rego |
| Time | Minutes | Days, weeks, months… |
In many cases, OPA adoption challenges that come up in the DIY process can be solved with relative ease using Styra DAS. Some of the most popular and sought-after features in this regard are the ability to see the value of policy as code through extensive decision logs and the ability to perform impact analysis before policies are pushed to deployment. This includes live testing for pre-built rules, state-based testing and back-testing, allowing you to be certain of your policy changes before they’re made.
Still unsure which method may be best for your enterprise? For a much deeper dive into this topic, read our whitepaper, Key Challenges in Scaling Up OPA for Enterprise.
And of course, if you want to see hands-on how Styra DAS can help operationalize OPA for your enterprise, give Styra DAS Free a try today.