2026-04-09 23:25:59 +03:30
# CropLogic Authorization Service
This service runs OPA as a standalone authorization engine for `backend/access_control` .
## Run standalone
``` bash
docker compose -f accsess/docker-compose.yaml up -d
```
2026-04-09 23:43:41 +03:30
If you want request logging only on development, start the stack with
`APP_ENV=DEVELOP` and enable the `develop` profile. In that mode, OPA sends
decision logs to a sidecar service, and the log file is written to
`accsess/logs/opa.log` on the host through a Docker volume.
``` bash
APP_ENV = DEVELOP COMPOSE_PROFILES = develop docker compose -f accsess/docker-compose.yaml up -d
```
2026-04-09 23:25:59 +03:30
## Decision endpoints
- Single feature: `POST /v1/data/croplogic/authz/decision`
- Batch features: `POST /v1/data/croplogic/authz/batch_decision`
The backend uses the batch endpoint and sends the farm context only. Users are treated as `farmer` by default inside the service, and features are allowed unless there is a feature-specific rule in `policies/authz.rego` .
## Example request
``` bash
curl -s http://127.0.0.1:8181/v1/data/croplogic/authz/batch_decision \
-H 'Content-Type: application/json' \
-d @- <<'EOF'
{
"input": {
"resource": {
"farm_id": "farm-1001",
"subscription_plan_codes": ["gold"],
"farm_types": ["greenhouse"],
"crop_types": ["tomato"],
"cultivation_types": ["soil"],
"sensor_codes": ["sensor-7-in-1"],
"power_sensor": ["main-power"],
"customization": ["default-layout"]
},
"features": ["sensor-7-in-1"],
"action": "view"
}
}
EOF
```
## Add new rules in code
Define feature-specific checks directly in `policies/authz.rego` .
- If a feature has no rule, every action is allowed.
- If a feature rule exists, its conditions are evaluated and any failing condition denies access.
- `sensor-7-in-1` currently requires `resource.sensor_codes` to include `sensor-7-in-1` .
