grpc

package
v1.46.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 22, 2025 License: Apache-2.0 Imports: 54 Imported by: 0

README

gRPC Plugin

The gRPC plugin implements the CRUD handlers for both Policy and Data endpoints + a combined "Bulk" endpoint that is intended to allow higher throughput for both Policy/Data operations by batching all the writes into a single transaction. Reads are also currently batched into a single transaction as well.

Running a grpc plugin

eopa --config-file grpc.yaml run -s -l debug

# grpc.yaml: grpc plugin configuration file
plugins:
  grpc:
    addr: ":9090"
  1. https://www.openpolicyagent.org/docs/latest/rest-api/#policy-api
  2. https://www.openpolicyagent.org/docs/latest/rest-api/#data-api

Documentation

Overview

Package grpc provides the implementation of EOPA's gRPC server. It is modeled directly off of OPA's HTTP Server implementation, and borrows as much code from OPA as is reasonable.

Several features of the OPA HTTP Server are missing, notably:

  • Logging
  • Provenance
  • Tracing/Explain

Index

Constants

View Source 
const PluginName = "grpc"

Variables

This section is empty.

Functions

func Factory 

func Factory() plugins.Factory

func StreamingDataRWParseDataFromRequest 

func StreamingDataRWParseDataFromRequest(req *datav1.StreamingDataRWRequest_WriteRequest) (any, error)

Parsing function for individual Data write payloads. Returns a bjson.BJSON under-the-hood.

func StreamingPolicyRWParsePolicyFromRequest 

func StreamingPolicyRWParsePolicyFromRequest(req *policyv1.StreamingPolicyRWRequest_WriteRequest) (*ast.Module, error)

Parsing function for individual Policy write payloads.

Types

type AuthenticationScheme 

type AuthenticationScheme int

AuthenticationScheme enumerates the supported authentication schemes. The authentication scheme determines how client identities are established. 

const (
	AuthenticationOff AuthenticationScheme = iota
	AuthenticationToken
	AuthenticationTLS
)

Set of supported authentication schemes.

type AuthorizationScheme 

type AuthorizationScheme int

AuthorizationScheme enumerates the supported authorization schemes. The authorization scheme determines how access to OPA is controlled. 

const (
	AuthorizationOff AuthorizationScheme = iota
	AuthorizationBasic
)

Set of supported authorization schemes.

type Config 

type Config struct {
	MaxRecvMessageSize int    `json:"max_recv_message_size"` // Max size can be up to ~2.1 GB. Default is 4 MB.
	Addr               string `json:"addr"`                  // bind address for the gRPC server.

	// Authentication is the type of authentication scheme to use.
	Authentication string `json:"authentication,omitempty"`

	// Authorization is the type of authorization scheme to use.
	Authorization string `json:"authorization,omitempty"`

	TLS struct {
		CertFile            string `json:"cert_file,omitempty"`
		CertKeyFile         string `json:"cert_key_file,omitempty"`
		CertRefreshInterval string `json:"cert_refresh_interval,omitempty"` // duration to wait between cert hash checks.
		RootCACertFile      string `json:"ca_cert_file,omitempty"`          // Path to the root CA certificate for verifying clients. If not provided, this defaults to TLS using the host’s root CA set.
		// SystemCARequired    bool   `json:"system_ca_required,omitempty"`    // require system certificate appended with root CA certificate.
		MinVersion string `json:"min_version,omitempty"`
		// contains filtered or unexported fields
	} `json:"tls,omitempty"`
	// contains filtered or unexported fields
}

func (*Config) SetListener 

func (c *Config) SetListener(lis net.Listener)

type Loop 

type Loop func(chan struct{}, chan struct{}) error

Loop will contain all the calls from the server that we'll be listening on.

type Server 

type Server struct {
	datav1.UnimplementedDataServiceServer
	policyv1.UnimplementedPolicyServiceServer
	bulkv1.UnimplementedBulkServiceServer
	// contains filtered or unexported fields
}

Note(philip): Logically, the running server is structured as a wrapper around an actual grpc.Server type. At runtime, the grpc.Server runs in its own goroutine, and is optionally supported by a certLoop goroutine that checks to see if certificates have changed on disk since the last refresh. If the certificate files changed, the certLoop replaces the in-memory certificate with an updated one. For more involved TLS reconfiguration, the entire gRPC plugin must be restarted.

func New 

func New(manager *plugins.Manager, config Config) *Server

Validation of TLS config happens upstream in (factory).Validate().

func (*Server) BulkRW 

func (s *Server) BulkRW(ctx context.Context, req *bulkv1.BulkRWRequest) (*bulkv1.BulkRWResponse, error)

BulkRW endpoint handler.

func (*Server) CreateData 

func (s *Server) CreateData(ctx context.Context, req *datav1.CreateDataRequest) (*datav1.CreateDataResponse, error)

Creates or overwrites a data document, creating any necessary containing documents to make the path valid. Equivalent to the Data REST API's PUT method.

func (*Server) CreatePolicy 

func (s *Server) CreatePolicy(ctx context.Context, req *policyv1.CreatePolicyRequest) (*policyv1.CreatePolicyResponse, error)

Parses, compiles, and installs a policy. Equivalent to the Policy REST API's PUT method.

func (*Server) DeleteData 

func (s *Server) DeleteData(ctx context.Context, req *datav1.DeleteDataRequest) (*datav1.DeleteDataResponse, error)

Deletes a document. Equivalent to the Data REST API's DELETE method.

func (*Server) DeletePolicy 

func (s *Server) DeletePolicy(ctx context.Context, req *policyv1.DeletePolicyRequest) (*policyv1.DeletePolicyResponse, error)

Deletes a policy module. If other policy modules in the same package depend on rules in the policy module to be deleted, the server will return an error. Equivalent to the Policy REST API's DELETE method.

func (*Server) GetData 

func (s *Server) GetData(ctx context.Context, req *datav1.GetDataRequest) (*datav1.GetDataResponse, error)

Retrieves/evaluates a document requiring input. Equivalent to the Data REST API's GET (with Input) method.

func (*Server) GetPolicy 

func (s *Server) GetPolicy(ctx context.Context, req *policyv1.GetPolicyRequest) (*policyv1.GetPolicyResponse, error)

Retrieves a policy module. Equivalent to the Policy REST API's GET method.

func (*Server) GracefulStop 

func (s *Server) GracefulStop()

func (*Server) ListPolicies 

func (s *Server) ListPolicies(ctx context.Context, req *policyv1.ListPoliciesRequest) (*policyv1.ListPoliciesResponse, error)

Lists all stored policy modules. Equivalent to the Policy REST API's List method.

func (*Server) Serve 

func (s *Server) Serve(lis net.Listener) error

func (*Server) Stop 

func (s *Server) Stop()

func (*Server) StreamingDataRW 

func (s *Server) StreamingDataRW(stream datav1.DataService_StreamingDataRWServer) error

Handles streaming Data read/write operations. Only truly fatal errors should cause it to return a non-nil error to the gRPC client.

func (*Server) StreamingPolicyRW 

func (s *Server) StreamingPolicyRW(stream policyv1.PolicyService_StreamingPolicyRWServer) error

Only truly fatal errors should cause it to return a non-nil error to the gRPC client.

func (*Server) UpdateData 

func (s *Server) UpdateData(ctx context.Context, req *datav1.UpdateDataRequest) (*datav1.UpdateDataResponse, error)

Creates/Updates/Deletes a document. Roughly equivalent to the Data REST API's PATCH method.

func (*Server) UpdatePolicy 

func (s *Server) UpdatePolicy(ctx context.Context, req *policyv1.UpdatePolicyRequest) (*policyv1.UpdatePolicyResponse, error)

Parses, compiles, and installs a policy. Equivalent to the Policy REST API's PUT method.

func (*Server) WithAuthentication 

func (s *Server) WithAuthentication(scheme AuthenticationScheme) *Server

WithAuthentication sets authentication scheme to use on the server.

func (*Server) WithAuthorization 

func (s *Server) WithAuthorization(scheme AuthorizationScheme) *Server

WithAuthorization sets authorization scheme to use on the server.

func (*Server) WithCertPool 

func (s *Server) WithCertPool(pool *x509.CertPool) *Server

WithCertPool sets the server-side cert pool that the server will use.

func (*Server) WithCertificate 

func (s *Server) WithCertificate(cert *tls.Certificate) *Server

WithCertificate sets the server-side certificate that the server will use.

func (*Server) WithCertificatePaths 

func (s *Server) WithCertificatePaths(certFilename, keyFilename string, refresh time.Duration) *Server

WithCertificatePaths sets the server-side certificate and key-file paths that the server will periodically check for changes, and reload if necessary.

func (*Server) WithDecisionIDFactory 

func (s *Server) WithDecisionIDFactory(f func() string) *Server

WithDecisionIDFactory sets a function on the server to generate decision IDs.

func (*Server) WithDecisionLoggerWithErr 

func (s *Server) WithDecisionLoggerWithErr(logger func(context.Context, *opa_server.Info) error) *Server

WithDecisionLoggerWithErr sets the decision logger used by the server.

func (*Server) WithMinTLSVersion 

func (s *Server) WithMinTLSVersion(minTLSVersion uint16) *Server

func (*Server) WithRuntimeData 

func (s *Server) WithRuntimeData(term *ast.Term) *Server

WithRuntimeData sets the runtime data to provide to the evaluation engine.

Source Files

View all Source files

Directories

Path Synopsis
internal
logging
uuid

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.