Automating Policy-as-Code Generation Pipeline for Data Products: An OpenAPI-Driven Rego Generator

At the core of data mesh there are data products: autonomous units that expose data via REST-based programmatic interfaces, while preserving the provider sovereignty and ensuring the consumer trust. However, despite their flexibility, adopting data products raises challenges in defining and enforcing fine-grained, customizable access policies that apply to different domains, such as security and usage. This work investigates the potential of a policy-as-code approach to support policy specification and automated compliance in data product architectures. We propose an extension to the OpenAPI specification that (i) allows security and transformation policies to be represented directly within a data product’s OpenAPI description, (ii) feeds an automated pipeline to generate Open Policy Agent (OPA) Rego rules.