I would like to have a policy where the decision has to be made by querying a field against a system of record which doesnot have a http api. Is there a way for a policy to call an external program and use its return code to decide whether to allow/deny?
Looking at https://www.openpolicyagent.org/docs/latest/policy-reference/#built-in-functions, I am not finding a function to use. Is there a function I am missing?
OPA does not provide a way to directly call external programs in the policy evaluation.
There are maybe a few things I'd recommend considering:
Call the external program before doing an evaluation with OPA that requires the data, and provide the result from the program as part of the
input
.Implement a custom builtin function. Check out https://www.openpolicyagent.org/docs/latest/extensions/ for a couple of options (depending on how you are integrating OPA).
You could implement a lightweight HTTP service which wraps making the call to the external program (eg simple python or golang app that exec's the other program and returns the data for use by the
http.send
builtin)