Hi folks, I'm seeking feedback on an RFC to add Open Policy Agent (OPA) as an opt-in authorizer plugin for Polaris. The motivation is straightforward: as deployments scale, RBAC alone struggles with context (purpose of use, data sensitivity, workload identity) and often devolves into role explosion. Policy engines like OPA enable us to decouple policy from code and express richer attribute-based rules in a Rego, improving auditability and testability without changing Polaris’ catalog semantics.
Delegating policy decisions to OPA will also enable organizations to reuse their existing, centralized policy store. Polaris can run OPA locally as a sidecar while OPA fetches bundles from the centralized policy distribution pipeline, which may be a necessity due to a streamlined governance strategy. The proposal is ready for review (so is the PR) and has been intentionally designed to be safe to trial. The existing PolarisAuthorizerImpl will remain the default and the proposed OpaPolarisAuthorizer is strictly opt-in through configurations. Implementation details, configuration, and security options are in the RFC. I'd appreciate your review and feedback! Thanks, Sung Google Doc: https://docs.google.com/document/d/1HadMFygjbuZathZZPanO6cFVorx0Ju0FopkICxX1tCE/edit?tab=t.0 PR: https://github.com/apache/polaris/pull/2680
