Hexa Policy Orchestrator enables you to manage all of your policies consistently across software providers so that you can unify access policy management. The below diagram describes the current provider architecture.
The Hexa project contains two applications, and demonstrates use of applications from Policy-Opa
- Policy Orchestrator with policy translations
- Demo Policy Administrator
- Demo web application (Policy-OPA)
- Hexa OPA Server and Bundle Server (Policy-OPA)
To get started with running these, clone or download the codebase from GitHub to your local machine:
cd $HOME/workspace # or similar
git clone [email protected]:hexa-org/policy-orchestrator.gitInstall the following dependencies.
- Go 1.22 - Needed to compile and install
- Docker Desktop - Needed to run docker-compose configuration
Build a Hexa Orchestrator image
cd demo
sh ./build.shRun all the applications with Docker Compose from within the demo directory
On Apple Silicon M1 (and M2) ARM
DOCKER_DEFAULT_PLATFORM=linux/amd64 docker-compose up
Others
docker-compose up
NOTE:
Assuming previous execution of the "setup" script above, this task may be run from anywhere in the repository as
pkg build.
Docker runs the following applications:
-
hexa-orchestrator
Runs on localhost:8885. The main application service that manages IDQL policy across various platforms and communicates with the various platform interfaces, converting IDQL policy to and from the respective platform types.
-
hexa-admin-ui
Runs on localhost:8884. An example web application user-interface demonstrating the latest interactions with the policy orchestrator.
-
hexa-industry-demo-app
Runs on localhost:8886. A demo web application used to highlight enforcing of both coarse and fine-grained policy. The application integrates with platform authentication/authorization proxies, Google IAP for example, for coarse-grained access and the Open Policy Agent (OPA) for fine-grained policy access.
-
Hexa-OPA-Agent
Runs on localhost:8887. A Hexa extended Open Policy Agent (OPA) server used to demonstrate fine-grained policy management. IDQL policy is represented as data and interpreted by the Rego expression language.
-
hexa-opaBundle-server
Runs on localhost:8889. An OPA HTTP Bundle server from which the OPA server can download policy bundles configured by Hexa-Orchestrator. See OPA bundles for more info.
Fine-grained policy management with OPA.
Using the hexa-admin-ui application available via docker-compose, upload an
OPA integration configuration file. The file describes the location of the IDQL
policy. An example integration configuration file may be found in
deployments/opa-server/example.
Once configured, IDQL policy for the hexa-demo application can be modified on the Applications page. The hexa-admin communicates the changes to the hexa-orchestrator, or "Policy Management Point (PMP)", which then updates the hexa-demo-config bundle server, making the updated policy available to the OPA server.
OPA, the "Policy Decision Point (PDP)", periodically reads config from the hexa-demo-config bundle server and allows or denies access requests based on the IDQL policy. Decision enforcement is handled within the hexa-demo application or "Policy Enforcement Point (PEP)".
The Hexa Demo architecture may be visualized as follows:
Take a look at our product backlog where we maintain a fresh supply of good first issues. In addition to enhancement requests, feel free to post any bugs you may find.
Here are a few additional resources for those interested in contributing to the Hexa project:
This repository also includes documentation for the current demo deployment infrastructure.
The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our Trademark Usage page.
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent