SYSTEM Cited by 1 source

Styra DAS

Styra Declarative Authorization Service (DAS) (styra.com) is a commercial control-plane SaaS for Open Policy Agent: policy authoring UI, bundle build/publish pipeline, policy version management, decision-log storage, and status reporting for distributed OPA fleets.

Role in an OPA deployment

Styra DAS is the control-plane half of a concepts/control-plane-data-plane-separation split: it does not sit in the request path. Policies authored in Rego are built into bundles and published to a chosen data-plane source (object storage, an OCI registry, a bundle server). OPA agents in the data plane poll the bundle source on interval, report status + decision logs back to DAS, and DAS is where operators query / audit those logs.

Seen in

• sources/2024-12-05-zalando-open-policy-agent-in-skipper-ingress — Zalando uses Styra DAS as the author / publish layer but routes bundles through AWS S3 for the actual data-plane fetch path. "To reduce the likelihood of outages due to an authorization infrastructure failure, we use AWS S3 and its availability promises as the source for policy bundles. Styra DAS, a commercial control plane for Open Policy Agent is used to source the bundles and publish them to S3." This decouples enforcement availability from Styra DAS availability — a direct application of patterns/s3-as-policy-bundle-source-for-availability. Styra DAS still receives status updates + decision logs from every virtual OPA instance inside Skipper, and each OTel span carries a decision ID that links back into the Styra DAS decision-log UI for forensics.

Related

• systems/open-policy-agent — the engine DAS controls
• systems/rego — the policy language DAS authors in
• systems/aws-s3 — data-plane bundle substrate in the Zalando deployment
• concepts/policy-bundle — DAS's publish artifact
• concepts/control-plane-data-plane-separation — DAS is the control plane half
• patterns/s3-as-policy-bundle-source-for-availability — the canonical pattern for the Zalando topology