Open Policy Agent (OPA) Plugins Architecture

This document describes the high-level flow of interactions and the sequence diagram of the plugin interactions in the OPA plugins architecture.

High-Level Flow of Interactions

Sequence Diagram of the Plugin Interactions (New Backend)

This flowchart represents the high-level flow of interactions between the different components in the OPA plugins architecture on the new backend system.

Understanding the Decision Types

It is important to understand that OPA's role differs depending on the type of decision returned.

ALLOW / DENY

OPA evaluates the policy and returns a direct ALLOW or DENY. The Permission Backend passes this straight through — in this case OPA effectively has the final say on whether the action is permitted.

CONDITIONAL

OPA returns a CONDITIONAL decision containing a set of conditions (e.g. IS_ENTITY_OWNER, IS_ENTITY_KIND). In this case OPA does not make the final decision — it defines criteria that the Permission Backend then applies against real resources. The Permission Backend evaluates those conditions against each resource using Backstage's built-in resource rules to determine what the user can actually access.

In short: for ALLOW/DENY, OPA decides. For CONDITIONAL, OPA defines the filter and the Permission Backend enforces it.

High-Level Flow of Interactions​

Sequence Diagram of the Plugin Interactions (New Backend)​

Understanding the Decision Types​

ALLOW / DENY​

CONDITIONAL​

High-Level Flow of Interactions

Sequence Diagram of the Plugin Interactions (New Backend)

Understanding the Decision Types

ALLOW / DENY

CONDITIONAL