What authorization is (and is not)
Objective
Explain the difference between authentication and authorization at runtime, and read the reference OPA policy to predict whether a given request is allowed or denied.
Concept
Authentication proves who a caller is. Authorization decides what that identity may do, on which resource, in a given context, at runtime. EnforceAuth calls the gap between the two "the Authorization Gap," and its operating model is Define, Enforce, Audit.
In practice a Policy Decision Point (PDP) such as OPA or Enterprise OPA evaluates a policy against an input document and returns a decision. A good policy is default-deny: it denies unless a rule explicitly allows. EnforceAuth's control plane, Writ, governs and deploys these policies (signed bundles from Git, promotion across environments, decision logs). Writ is not a PDP on the request path; the PDP is OPA or Enterprise OPA.
Open the lab policy in ../lab/policy.rego. It maps each role to a set of permitted actions and allows a request only when the requested action is in the set for the subject's role. An unknown role leaves the lookup undefined, so the decision falls through to the default, false.
Hands-on lab
The lab in courses/reference-hello-authorization ships as a starter: policy.rego gives you the permissions map and default allow := false, but the allow rule is left as a TODO(learner) stub. Open policy.rego and implement the allow rule so a request is granted only when input.action is in the set of actions permitted for input.subject.role.
Run the suite as you work:
git clone https://github.com/EnforceAuth/university-labs.git
cd university-labs
opa test courses/reference-hello-authorization -v
The starter reports FAIL: 3/6. It includes allow cases (an admin can delete, an editor can write, a viewer can read) and deny cases (a viewer cannot write, an editor cannot delete, an unknown role is denied). The deny cases catch a "false allow," a request granted when policy says it should not be. Implement the TODO until you reach PASS: 6/6. Keep iterating until opa test is green.
Check for understanding
- A request arrives with a valid token but for an action the subject's role does not permit. Is this an authentication failure or an authorization failure?
- In
policy.rego, what decision does a request withrole: "guest"produce, and why? - Which tests in
policy_test.regowould start failing if you changeddefault allow := falsetodefault allow := true, and what class of security bug does that represent?