Motivation

Hasura Permissions are Hard

This project was born out of a few observations about Hasura’s Permission Rules:

  • Hasura permissions are hard to configure.
    • The amount of JSON quickly proliferates.
    • There aren’t any mechanisms to keep the rules DRY (e.g., there are no fragments).
    • The rules need to be replicated to lots of different tables.
  • Hasura permissions are hard to share with non-technical stakeholders.
    • They’re baked into Hasura’s YAML metadata.
    • They’re JSON that only engineers can understand.
  • Hasura permissions are hard to change.
    • They’re tightly coupled to application code.

Open Policy Agent: A Panacea

Open Policy Agent addresses a lot of these concerns, by the very act of decoupling policy decision-making from policy enforcement.

It frees the logic behind authorization and entitilements, codifying it in readable language that any stakeholder can read.

Open Policy Agent (OPA, pronounced “oh-pa”) … provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. You can use OPA to enforce policies in microservices, Kubernetes, CI/CD pipelines, API gateways, and more… OPA decouples policy decision-making from policy enforcement. When your software needs to make policy decisions it queries OPA and supplies structured data (e.g., JSON) as input.

The End Goal: OPA -> Hasura

How nice would it be if you could just sync your OPA policies straight into Hasura?

That is the dream of this project.

A CLI that you can use to simply import your OPA policies and sync them to your Hasura metadata.