Scaling OPA: How SugarCRM, Atlassian and Netflix Unified Authorization Across the Stack
Open Policy Agent (OPA), now a graduated project from the Cloud Native Computing Foundation, has become the open-source tool of choice for millions of users, who leverage it as a standard building block for policy and authorization across the cloud-native stack. Given the flexibility of OPA — with practically limitless deployment options — it has been adopted for dozens of use cases across hundreds of companies. As such, developers hoping to begin an OPA journey, expand to a new use case or scale OPA within their organizations often look to how OPA is used by others for inspiration. To help generate some fresh ideas, we’re taking a look at how three highly successful OPA users, SugarCRM, Atlassian and Netflix used OPA to solve critical challenges and scale for unified authorization within their organizations. With these mini “case studies” in mind, users can hopefully find inspiration to solve their own authorization and policy challenges and leverage OPA across teams, clusters and clouds.
Netflix unified authorization for cloud microservices backend
An early adopter of cloud-based microservices, Netflix needed a unified way of managing authorization between the complex web of backend services that support its front-end video platform. Without a consistent framework for authorization, it would be difficult-to-impossible to manage policy across the complicated microservices architecture — representing hundreds of teams — while ensuring that authorization decisions happened in less than a millisecond, which was required for the service to rapidly scale. If authorization is handled differently by every service, it is very challenging to quickly trace any problem to its source, and even harder to make immediate global policy changes across services, for instance for SecOps purposes.
This being the case, OPA was an obvious choice for the Netflix team. Using OPA, the company built a unified architecture for making authorization decisions at scale across hundreds of services and enforcement points, at low latency. Not only did this solve the authorization challenge for Netflix, but they were also able to make a self-serve model so different teams can safely create and implement their own policy.
Atlassian created a global authorization platform
Atlassian is the purveyor of popular cloud products like Jira, Trello, Confluence and BitBucket. To help support these products, the company hosts more than 1,000 services that are distributed worldwide. As with many companies, authorization was initially handled at the service level, rather than at the platform level. As a result, many of Atlassian’s services had unique, bespoke authorization mechanisms, which made it a challenge to unify security and compliance management across the company.
Again, OPA was the logical next step. By leveraging OPA as a unified authorization standard, Atlassian was able to build a global authorization platform, where they could centrally manage authorization and policy and audit OPA decisions across the enterprise. The company uses several deployment models for OPA, including two different microservices sidecar models, as well as deployments models at gateways and proxies. With a centralized policy platform, different teams across Atlassian can avail themselves of already-built OPA schemas for different authorization use cases, or individual teams can write their own OPA policies, which are still vetted by the central platform. Leveraging OPA in this way, Atlassian can continue to scale its cloud services across the globe, while ensuring security and compliance for its millions of customers.
SugarCRM uses OPA to put guardrails around Kubernetes deployments
SugarCRM is a leading provider of customer experience solutions whose more than half dozen products support millions of users every day. As a company embracing the cloud, SugarCRM needed modern controls for cloud infrastructure and security that worked seamlessly with its software-defined systems, and which could be tracked over time for compliance. The SugarCRM DevOps and platform teams, while already proficient in automation, still found that they relied on resource-intensive manual processes, such as reviewing Kubernetes configurations, that were prone to manual error.
OPA was a natural solution. With it, SugarCRM was able to leverage a common toolset and framework for expressing authorization policy for Kubernetes admission control, while codifying and automating applying those policies and best practices. Moreover, to help scale and manage OPA deployments across teams and closers, SugarCRM also opted to use the Styra Declarative Authorization Service (DAS), after briefly considering building their own control plane. DAS was ultimately critical for automating: policy deployment, visibility and reporting around OPA. Moreover, with DAS, SugarCRM could simplify policy deployment with a prebuilt library of policy and best practices — helping extend OPA across teams and allowing DevOps and platform teams to spend less time writing policies and more time focusing on differentiated work. Overall, OPA and DAS allowed SugarCRM to achieve its security and infrastructure goals, minimize misconfigurations and eliminate at least 40 hours per month spent on manual reviews, remediation and re-training.
A rapidly growing OPA community
With over one million downloads per week, and with recent headlines about its CNCF graduation, OPA’s traction continues to grow in the tech community, and new use cases emerge every day. Hopefully you now have some fresh ideas on how you can deploy OPA for the first time, expand your use case or scale OPA to new teams and services. And, if you want to dive deeper into how you can roll out OPA or scale it in your organization, two helpful resources are our recent eBook, OPA at Scale, or the Styra Academy, which offers a host of courses on authoring OPA policy and more.