
Implementing a Fine-Grained Permissions System with Open Policy Agent (OPA) - bkhablenko
https://blog.verygoodsecurity.com/posts/building-a-fine-grained-permissions-system-in-a-distributed-environment
======
mjallday
It would be really interesting to hear you talk about how you test the
policies that are written for opa.

are the policy documents stored alongside the service or kept in a central
registry? do you need to include opa when doing unit testing for the
individual services or can it just be layered on and integration tested?

~~~
bkhablenko
Hey, thanks for the question. Policy testing is described in detail here:
[https://www.openpolicyagent.org/docs/latest/policy-
testing/](https://www.openpolicyagent.org/docs/latest/policy-testing/)

As for where policies are stored, we keep them with the service and later
mount in a K8s pod as a ConfigMap. OPA then downloads missing data from the
Bundle Service. Integration testing is more or less the same, with OPA
declared as a container in Docker Compose.

