Skip to content

Policy engine Overview & Prerequisites

Policy engine uses Open Policy Agent (OPA) and Open Policy Administration Layer (OPAL) for policy evaluation. As part of policy engine, several services work together using the features provided by OPA and OPAL to provide a robust policy evaluation framework.

Policy engine components

The policy engine uses several components that have been docked for deployment. Below is a list of all the components of policy engine:

  1. HyWorks Policy Management API: Single API endpoint used by HyWorks Management Console, DVM agents etc. to interact with OPAL Policy engine. By default, this API is exposed externally on port number 38901 over ssl configured using nginx. Currently used docker image hyworks/policy-manager-API:v20240926T1201.

    • Policy Data API is used by HyWorks Policy Management API to push policy updates to OPAL Server and OPAL client via Policy Update Queue.

    • OPAL Client is used by HyWorks Policy Management API to evaluate policies as per input parameters.

  2. Policy Data API: API used by HyWorks Policy Management API to push policy updates to OPAL Server and OPAL client. By default, this API endpoint is exposed on port 5120. Currently used docker image policymanagement:1.0.

  3. OPAL Server: Coordinator to keep OPAL clients updated. Currently used docker image permitio/opal-server:0.7.12.

  4. OPAL Client: OPA execution layer that serves policy requests. By default, this API endpoint is exposed on port 8181. Currently used docker image permitio/opal-client:0.7.12.

  5. Policy Update Queue: Queue to make sure updates are not lost. This has been implemented using RabbitMQ. Currently used docker image rabbitmq:3-management.

  6. Policy Queue Listener: Listener that subscribes to Policy Update Queue and persists updates to DB. Currently used docker image queue_provider:1.0.

  7. MongoDB: Persistence for policies. Currently used docker image mongo:3.7.

  8. Redis 7.4.0-alpine: Redis is used only when Policy engine is run in cluster mode. OPAL server uses redis to sync between all instances of the cluster. Currently used docker image redis:7.4.0-alpine .

  9. Nginx: Nginx is used for ssl offloading for HyWorks Policy Management API.

Prerequisites

Hardware pre-requisites

For deploying Policy engine in standalone mode, you will need a single VM and for cluster mode you will need 3 VMs with a bare minimum of below mentioned hardware specification:

  1. CPU: 2 vCPU

  2. RAM: 4 GB

  3. HDD: 50 GB

Note

This is only minimum requirement to get the installation and single instance installed. The production deployment must consider expected concurrency/load and accordingly server sizing should be done.

Software pre-requisites

  1. Oracle Linux 9.4

  2. Docker and docker-compose