1Open Policy Agent(1)                                      Open Policy Agent(1)
2
3
4

NAME

6       opa-run - Start OPA in interactive or server mode
7
8
9

SYNOPSIS

11       opa run [flags]
12
13
14

DESCRIPTION

16       Start an instance of the Open Policy Agent (OPA).
17
18
19       To run the interactive shell:
20
21
22              $ opa run
23
24
25
26       To run the server:
27
28
29              $ opa run -s
30
31
32
33       The  'run'  command starts an instance of the OPA runtime. The OPA run‐
34       time can be started as an interactive shell or a server.
35
36
37       When the runtime is started as a shell,  users  can  define  rules  and
38       evaluate  expressions  interactively.  When the runtime is started as a
39       server, OPA exposes an HTTP API  for  managing  policies,  reading  and
40       writing data, and executing queries.
41
42
43       The  runtime  can  be  initialized  with one or more files that contain
44       policies or data. If the '--bundle' option is specified the paths  will
45       be  treated as policy bundles and loaded following standard bundle con‐
46       ventions. The path can be a compressed  archive  file  or  a  directory
47       which  will  be  treated  as a bundle.  Without the '--bundle' flag OPA
48       will recursively load ALL rego, JSON, and YAML files.
49
50
51       When loading from directories, only files  with  known  extensions  are
52       considered.   The current set of file extensions that OPA will consider
53       are:
54
55
56              .json          # JSON data
57
58
59
60       Non-bundle data file and directory paths can be prefixed with  the  de‐
61       sired destination in the data document with the following syntax:
62
63
64              <dotted-path>:<file-path>
65
66
67
68       To  set  a data file as the input document in the interactive shell use
69       the "repl.input" path prefix with the input file:
70
71
72              repl.input:<file-path>
73
74
75
76       Example:
77
78
79              opa run repl.input:input.json
80
81
82
83       Which will load the "input.json" file at path "data.repl.input".
84
85
86       Use the "help input" command in the interactive shell to see  more  op‐
87       tions.
88
89
90       File  paths can be specified as URLs to resolve ambiguity in paths con‐
91       taining colons:
92
93
94              $ opa run file:///c:/path/to/data.json
95
96
97
98       The 'run' command can also verify the signature of a signed bundle.   A
99       signed  bundle is a normal OPA bundle that includes a file named ".sig‐
100       natures.json".   For   more   information   on   signed   bundles   see
101       https://www.openpolicyagent.org/docs/latest/management/#signing.
102
103
104       The  key to verify the signature of signed bundle can be provided using
105       the --verification-key flag. For example, for RSA family of algorithms,
106       the  command  expects  a  PEM file containing the public key.  For HMAC
107       family of algorithms (eg. HS256), the secret can be provided using  the
108       --verification-key flag.
109
110
111       The --verification-key-id flag can be used to optionally specify a name
112       for the key provided using the --verification-key flag.
113
114
115       The --signing-alg flag can be used to specify  the  signing  algorithm.
116       The 'run' command uses RS256 (by default) as the signing algorithm.
117
118
119       The  --scope  flag  can  be used to specify the scope to use for bundle
120       signature verification.
121
122
123       Example:
124
125
126              $ opa run --verification-key secret --signing-alg HS256 --bundle bundle.tar.gz
127
128
129
130       The 'run' command will  read  the  bundle  "bundle.tar.gz",  check  the
131       ".signatures.json"  file  and  perform  verification using the provided
132       key.  An error will be generated if "bundle.tar.gz" does not contain  a
133       ".signatures.json"  file.  For more information on the bundle verifica‐
134       tion  process  see  https://www.openpolicyagent.org/docs/latest/manage
135       ment/#signature-verification.
136
137
138       The  'run'  command  can  ONLY be used with the --bundle flag to verify
139       signatures for existing bundle files or directories following the  bun‐
140       dle structure.
141
142
143       To skip bundle verification, use the --skip-verify flag.
144
145
146

OPTIONS

148       -a,  --addr=[:8181]       set  listening  address  of the server (e.g.,
149       [ip]: for TCP, unix:// for UNIX domain socket)
150
151
152       --authentication=off      set authentication scheme
153
154
155       --authorization=off      set authorization scheme
156
157
158       -b, --bundle[=false]      load paths as bundle files or  root  directo‐
159       ries
160
161
162       -c, --config-file=""      set path of configuration file
163
164
165       --diagnostic-addr=[]      set read-only diagnostic listening address of
166       the server for /health and /metric APIs (e.g., [ip]: for  TCP,  unix://
167       for UNIX domain socket)
168
169
170       --exclude-files-verify=[]       set file names to exclude during bundle
171       verification
172
173
174       -f, --format="pretty"      set shell output format, i.e, pretty, json
175
176
177       --h2c[=false]      enable H2C for HTTP listeners
178
179
180       -h, --help[=false]      help for run
181
182
183       -H, --history="/builddir/.opa_history"      set path of history file
184
185
186       --ignore=[]      set file and directory names to ignore during  loading
187       (e.g., '.*' excludes hidden files)
188
189
190       --log-format=json      set log format
191
192
193       -l, --log-level=info      set log level
194
195
196       -m,  --max-errors=10      set the number of errors to allow before com‐
197       pilation fails early
198
199
200       --min-tls-version=1.2      set minimum TLS version to be used by  OPA's
201       server, default is 1.2
202
203
204       --pprof[=false]      enables pprof endpoints
205
206
207       --ready-timeout=0       wait (in seconds) for configured plugins before
208       starting server (value <= 0 disables ready check)
209
210
211       --scope=""      scope to use for bundle signature verification
212
213
214       -s, --server[=false]      start the runtime in server mode
215
216
217       --set=[]      override config values on the command line (use commas to
218       specify multiple values)
219
220
221       --set-file=[]       override  config  values  with files on the command
222       line (use commas to specify multiple values)
223
224
225       --shutdown-grace-period=10      set the  time  (in  seconds)  that  the
226       server will wait to gracefully shut down
227
228
229       --shutdown-wait-period=0      set the time (in seconds) that the server
230       will wait before initiating shutdown
231
232
233       --signing-alg="RS256"      name of the signing algorithm
234
235
236       --skip-verify[=false]      disables bundle signature verification
237
238
239       --skip-version-check[=true]      disables anonymous  version  reporting
240       (see: https://openpolicyagent.org/docs/latest/privacy)
241
242
243       --tls-ca-cert-file=""      set path of TLS CA cert file
244
245
246       --tls-cert-file=""      set path of TLS certificate file
247
248
249       --tls-private-key-file=""      set path of TLS private key file
250
251
252       --verification-key=""       set  the  secret  (HMAC) or path of the PEM
253       file containing the public key (RSA and ECDSA)
254
255
256       --verification-key-id="default"      name assigned to the  verification
257       key used for bundle verification
258
259
260       -w, --watch[=false]      watch command line files for changes
261
262
263

SEE ALSO

265       opa(1)
266
267
268
269                                   Jan 2023               Open Policy Agent(1)
Impressum