1Open Policy Agent(1) Open Policy Agent(1)
2
3
4
6 opa-run - Start OPA in interactive or server mode
7
8
9
11 opa run [flags]
12
13
14
16 Start an instance of the Open Policy Agent (OPA).
17
18
19 To run the interactive shell:
20
21
22 $ opa run
23
24
25
26 To run the server:
27
28
29 $ opa run -s
30
31
32
33 The 'run' command starts an instance of the OPA runtime. The OPA run‐
34 time can be started as an interactive shell or a server.
35
36
37 When the runtime is started as a shell, users can define rules and
38 evaluate expressions interactively. When the runtime is started as a
39 server, OPA exposes an HTTP API for managing policies, reading and
40 writing data, and executing queries.
41
42
43 The runtime can be initialized with one or more files that contain
44 policies or data. If the '--bundle' option is specified the paths will
45 be treated as policy bundles and loaded following standard bundle con‐
46 ventions. The path can be a compressed archive file or a directory
47 which will be treated as a bundle. Without the '--bundle' flag OPA
48 will recursively load ALL rego, JSON, and YAML files.
49
50
51 When loading from directories, only files with known extensions are
52 considered. The current set of file extensions that OPA will consider
53 are:
54
55
56 .json # JSON data
57
58
59
60 Non-bundle data file and directory paths can be prefixed with the de‐
61 sired destination in the data document with the following syntax:
62
63
64 <dotted-path>:<file-path>
65
66
67
68 To set a data file as the input document in the interactive shell use
69 the "repl.input" path prefix with the input file:
70
71
72 repl.input:<file-path>
73
74
75
76 Example:
77
78
79 opa run repl.input:input.json
80
81
82
83 Which will load the "input.json" file at path "data.repl.input".
84
85
86 Use the "help input" command in the interactive shell to see more op‐
87 tions.
88
89
90 File paths can be specified as URLs to resolve ambiguity in paths con‐
91 taining colons:
92
93
94 $ opa run file:///c:/path/to/data.json
95
96
97
98 The 'run' command can also verify the signature of a signed bundle. A
99 signed bundle is a normal OPA bundle that includes a file named ".sig‐
100 natures.json". For more information on signed bundles see
101 https://www.openpolicyagent.org/docs/latest/management/#signing.
102
103
104 The key to verify the signature of signed bundle can be provided using
105 the --verification-key flag. For example, for RSA family of algorithms,
106 the command expects a PEM file containing the public key. For HMAC
107 family of algorithms (eg. HS256), the secret can be provided using the
108 --verification-key flag.
109
110
111 The --verification-key-id flag can be used to optionally specify a name
112 for the key provided using the --verification-key flag.
113
114
115 The --signing-alg flag can be used to specify the signing algorithm.
116 The 'run' command uses RS256 (by default) as the signing algorithm.
117
118
119 The --scope flag can be used to specify the scope to use for bundle
120 signature verification.
121
122
123 Example:
124
125
126 $ opa run --verification-key secret --signing-alg HS256 --bundle bundle.tar.gz
127
128
129
130 The 'run' command will read the bundle "bundle.tar.gz", check the
131 ".signatures.json" file and perform verification using the provided
132 key. An error will be generated if "bundle.tar.gz" does not contain a
133 ".signatures.json" file. For more information on the bundle verifica‐
134 tion process see https://www.openpolicyagent.org/docs/latest/manage‐
135 ment/#signature-verification.
136
137
138 The 'run' command can ONLY be used with the --bundle flag to verify
139 signatures for existing bundle files or directories following the bun‐
140 dle structure.
141
142
143 To skip bundle verification, use the --skip-verify flag.
144
145
146
148 -a, --addr=[:8181] set listening address of the server (e.g.,
149 [ip]: for TCP, unix:// for UNIX domain socket)
150
151
152 --authentication=off set authentication scheme
153
154
155 --authorization=off set authorization scheme
156
157
158 -b, --bundle[=false] load paths as bundle files or root directo‐
159 ries
160
161
162 -c, --config-file="" set path of configuration file
163
164
165 --diagnostic-addr=[] set read-only diagnostic listening address of
166 the server for /health and /metric APIs (e.g., [ip]: for TCP, unix://
167 for UNIX domain socket)
168
169
170 --exclude-files-verify=[] set file names to exclude during bundle
171 verification
172
173
174 -f, --format="pretty" set shell output format, i.e, pretty, json
175
176
177 --h2c[=false] enable H2C for HTTP listeners
178
179
180 -h, --help[=false] help for run
181
182
183 -H, --history="/builddir/.opa_history" set path of history file
184
185
186 --ignore=[] set file and directory names to ignore during loading
187 (e.g., '.*' excludes hidden files)
188
189
190 --log-format=json set log format
191
192
193 -l, --log-level=info set log level
194
195
196 -m, --max-errors=10 set the number of errors to allow before com‐
197 pilation fails early
198
199
200 --min-tls-version=1.2 set minimum TLS version to be used by OPA's
201 server, default is 1.2
202
203
204 --pprof[=false] enables pprof endpoints
205
206
207 --ready-timeout=0 wait (in seconds) for configured plugins before
208 starting server (value <= 0 disables ready check)
209
210
211 --scope="" scope to use for bundle signature verification
212
213
214 -s, --server[=false] start the runtime in server mode
215
216
217 --set=[] override config values on the command line (use commas to
218 specify multiple values)
219
220
221 --set-file=[] override config values with files on the command
222 line (use commas to specify multiple values)
223
224
225 --shutdown-grace-period=10 set the time (in seconds) that the
226 server will wait to gracefully shut down
227
228
229 --shutdown-wait-period=0 set the time (in seconds) that the server
230 will wait before initiating shutdown
231
232
233 --signing-alg="RS256" name of the signing algorithm
234
235
236 --skip-verify[=false] disables bundle signature verification
237
238
239 --skip-version-check[=true] disables anonymous version reporting
240 (see: https://openpolicyagent.org/docs/latest/privacy)
241
242
243 --tls-ca-cert-file="" set path of TLS CA cert file
244
245
246 --tls-cert-file="" set path of TLS certificate file
247
248
249 --tls-private-key-file="" set path of TLS private key file
250
251
252 --verification-key="" set the secret (HMAC) or path of the PEM
253 file containing the public key (RSA and ECDSA)
254
255
256 --verification-key-id="default" name assigned to the verification
257 key used for bundle verification
258
259
260 -w, --watch[=false] watch command line files for changes
261
262
263
265 opa(1)
266
267
268
269 Jan 2023 Open Policy Agent(1)