CropLogic Authorization Service
This service runs OPA as a standalone authorization engine for backend/access_control.
Run standalone
docker compose -f accsess/docker-compose.yaml up -d
If you want request logging only on development, start the stack with
APP_ENV=DEVELOP and enable the develop profile. In that mode, OPA sends
decision logs to a sidecar service, and the log file is written to
accsess/logs/opa.log on the host through a Docker volume.
APP_ENV=DEVELOP COMPOSE_PROFILES=develop docker compose -f accsess/docker-compose.yaml up -d
Decision endpoints
- Single feature:
POST /v1/data/croplogic/authz/decision - Batch features:
POST /v1/data/croplogic/authz/batch_decision
The backend uses the batch endpoint and sends the farm context only. Users are treated as farmer by default inside the service, and features are allowed unless there is a feature-specific rule in policies/authz.rego.
Example request
curl -s http://127.0.0.1:8181/v1/data/croplogic/authz/batch_decision \
-H 'Content-Type: application/json' \
-d @- <<'EOF'
{
"input": {
"resource": {
"farm_id": "farm-1001",
"subscription_plan_codes": ["gold"],
"farm_types": ["greenhouse"],
"crop_types": ["tomato"],
"cultivation_types": ["soil"],
"sensor_codes": ["sensor-7-in-1"],
"power_sensor": ["main-power"],
"customization": ["default-layout"]
},
"features": ["sensor-7-in-1"],
"action": "view"
}
}
EOF
Add new rules in code
Define feature-specific checks directly in policies/authz.rego.
- If a feature has no rule, every action is allowed.
- If a feature rule exists, its conditions are evaluated and any failing condition denies access.
sensor-7-in-1currently requiresresource.sensor_codesto include one of the supported 7-in-1 sensor codes (sensor-7-in-1orsensor_7_soil_moisture_sensor_v1_2).