1Open Policy Agent(1)                                      Open Policy Agent(1)
2
3
4

NAME

6       opa-run - Start OPA in interactive or server mode
7
8
9

SYNOPSIS

11       opa run [flags]
12
13
14

DESCRIPTION

16       Start an instance of the Open Policy Agent (OPA).
17
18
19       To run the interactive shell:
20
21
22              $ opa run
23
24
25
26       To run the server:
27
28
29              $ opa run -s
30
31
32
33       The  'run'  command starts an instance of the OPA runtime. The OPA run‐
34       time can be started as an interactive shell or a server.
35
36
37       When the runtime is started as a shell,  users  can  define  rules  and
38       evaluate  expressions  interactively.  When the runtime is started as a
39       server, OPA exposes an HTTP API  for  managing  policies,  reading  and
40       writing data, and executing queries.
41
42
43       The  runtime  can  be  initialized  with one or more files that contain
44       policies or data. If the '--bundle' option is specified the paths  will
45       be  treated as policy bundles and loaded following standard bundle con‐
46       ventions. The path can be a compressed  archive  file  or  a  directory
47       which  will  be  treated  as a bundle.  Without the '--bundle' flag OPA
48       will recursively load ALL rego, JSON, and YAML files.
49
50
51       When loading from directories, only files  with  known  extensions  are
52       considered.   The current set of file extensions that OPA will consider
53       are:
54
55
56              .json          # JSON data
57
58
59
60       Non-bundle data file and directory paths can be prefixed with  the  de‐
61       sired destination in the data document with the following syntax:
62
63
64              <dotted-path>:<file-path>
65
66
67
68       To  set  a data file as the input document in the interactive shell use
69       the "repl.input" path prefix with the input file:
70
71
72              repl.input:<file-path>
73
74
75
76       Example:
77
78
79              opa run repl.input:input.json
80
81
82
83       Which will load the "input.json" file at path "data.repl.input".
84
85
86       Use the "help input" command in the interactive shell to see  more  op‐
87       tions.
88
89
90       File  paths can be specified as URLs to resolve ambiguity in paths con‐
91       taining colons:
92
93
94              $ opa run file:///c:/path/to/data.json
95
96
97
98       The 'run' command can also verify the signature of a signed bundle.   A
99       signed  bundle is a normal OPA bundle that includes a file named ".sig‐
100       natures.json".   For   more   information   on   signed   bundles   see
101       https://www.openpolicyagent.org/docs/latest/management/#signing.
102
103
104       The  key to verify the signature of signed bundle can be provided using
105       the --verification-key flag. For example, for RSA family of algorithms,
106       the  command  expects  a  PEM file containing the public key.  For HMAC
107       family of algorithms (eg. HS256), the secret can be provided using  the
108       --verification-key flag.
109
110
111       The --verification-key-id flag can be used to optionally specify a name
112       for the key provided using the --verification-key flag.
113
114
115       The --signing-alg flag can be used to specify  the  signing  algorithm.
116       The 'run' command uses RS256 (by default) as the signing algorithm.
117
118
119       The  --scope  flag  can  be used to specify the scope to use for bundle
120       signature verification.
121
122
123       Example:
124
125
126              $ opa run --verification-key secret --signing-alg HS256 --bundle bundle.tar.gz
127
128
129
130       The 'run' command will  read  the  bundle  "bundle.tar.gz",  check  the
131       ".signatures.json"  file  and  perform  verification using the provided
132       key.  An error will be generated if "bundle.tar.gz" does not contain  a
133       ".signatures.json"  file.  For more information on the bundle verifica‐
134       tion  process  see  https://www.openpolicyagent.org/docs/latest/manage
135       ment/#signature-verification.
136
137
138       The  'run'  command  can  ONLY be used with the --bundle flag to verify
139       signatures for existing bundle files or directories following the  bun‐
140       dle structure.
141
142
143       To skip bundle verification, use the --skip-verify flag.
144
145
146

OPTIONS

148       -a,  --addr=[:8181]       set  listening  address  of the server (e.g.,
149       [ip]: for TCP, unix:// for UNIX domain socket)
150
151
152       --authentication=off      set authentication scheme
153
154
155       --authorization=off      set authorization scheme
156
157
158       -b, --bundle[=false]      load paths as bundle files or  root  directo‐
159       ries
160
161
162       -c, --config-file=""      set path of configuration file
163
164
165       --diagnostic-addr=[]      set read-only diagnostic listening address of
166       the server for /health and /metric APIs (e.g., [ip]: for  TCP,  unix://
167       for UNIX domain socket)
168
169
170       --exclude-files-verify=[]       set file names to exclude during bundle
171       verification
172
173
174       -f, --format="pretty"      set shell output format, i.e, pretty, json
175
176
177       --h2c[=false]      enable H2C for HTTP listeners
178
179
180       -h, --help[=false]      help for run
181
182
183       -H, --history="/builddir/.opa_history"      set path of history file
184
185
186       --ignore=[]      set file and directory names to ignore during  loading
187       (e.g., '.*' excludes hidden files)
188
189
190       --log-format=json      set log format
191
192
193       -l, --log-level=info      set log level
194
195
196       -m,  --max-errors=10      set the number of errors to allow before com‐
197       pilation fails early
198
199
200       --pprof[=false]      enables pprof endpoints
201
202
203       --ready-timeout=0      wait (in seconds) for configured plugins  before
204       starting server (value <= 0 disables ready check)
205
206
207       --scope=""      scope to use for bundle signature verification
208
209
210       -s, --server[=false]      start the runtime in server mode
211
212
213       --set=[]      override config values on the command line (use commas to
214       specify multiple values)
215
216
217       --set-file=[]      override config values with  files  on  the  command
218       line (use commas to specify multiple values)
219
220
221       --shutdown-grace-period=10       set  the  time  (in  seconds) that the
222       server will wait to gracefully shut down
223
224
225       --shutdown-wait-period=0      set the time (in seconds) that the server
226       will wait before initiating shutdown
227
228
229       --signing-alg="RS256"      name of the signing algorithm
230
231
232       --skip-verify[=false]      disables bundle signature verification
233
234
235       --skip-version-check[=true]       disables  anonymous version reporting
236       (see: https://openpolicyagent.org/docs/latest/privacy)
237
238
239       --tls-ca-cert-file=""      set path of TLS CA cert file
240
241
242       --tls-cert-file=""      set path of TLS certificate file
243
244
245       --tls-private-key-file=""      set path of TLS private key file
246
247
248       --verification-key=""      set the secret (HMAC) or  path  of  the  PEM
249       file containing the public key (RSA and ECDSA)
250
251
252       --verification-key-id="default"       name assigned to the verification
253       key used for bundle verification
254
255
256       -w, --watch[=false]      watch command line files for changes
257
258
259

SEE ALSO

261       opa(1)
262
263
264
265                                   May 2021               Open Policy Agent(1)
Impressum