How to embed OPA as a lib in a low latency C++ process

Question

We are currently evaluating OPA as our main fine-grained-access control engine. Our data path is written in C++ for high performance requirements. I see that it is possible to embed OPA in a GO process, but not sure if this is evaluated in a C++ container.

1. Are there any existing deployments where OPA was embedded as a library in C++ container?
2. If we embed OPA as a library, will there be any communication through the network (to other processes or data bases) when policies are evaluated?

Answer 1

For using OPA from C++, there are a few options, ordered roughly by complexity and increasingly unchartered territory:

1. Use the HTTP API, in a sidecar process or some standalone service. (Obviously now what you're looking for, included for completeness' sake.)
2. Use Wasm: there is no SDK for C++, but the ABI hopefully isn't too complicated, see the docs.
3. Embed OPA as a Cgo library: the amount of work is considerable, you'd have to define the surface API, i.e., do the work necessary to re-wrap OPA's core into a library you could link in.

I'd go with trying (1.) first, seeing if it really isn't feasible for your performance requirements (using a Unix socket, profiling the evaluation, having a good look at your policy code...); then I'd reach for Wasm (2.). OPA's Wasm modules contain the compiled recipe for evaluating your policy's logic; there is no interpreter overhead. With (3.), you'd have to do more work than for (2.), and (in my opinion) get less for it.