GithubHelp home page GithubHelp logo

Comments (4)

johanfylling avatar johanfylling commented on May 8, 2024 3

I believe this is one and the same, @srenatus.

We've already confirmed that this is an issue when doing multiple enumerations within the same rule body also when the rule has a constant result, so we should be able to adjust/simplify the provided example, and still see the behavior. I'll do that and report my findings here.

from opa.

srenatus avatar srenatus commented on May 8, 2024

It sounds like you're expecting this rule to exit on the first match?

authz_check_for_node_access = output {
        # Get all the assigned node values given a role and node name that user already has
        assigned_nodes := get_user_node_values(node_name)

        assigned_node = assigned_nodes[_]
        print("Assigned node to look into: ", assigned_node)

        # get all the nodes present in path(s) between source and target if a path exists
        nodes_in_path = get_all_covered_nodes(assigned_node, node_to_search)
        covered_node = nodes_in_path[_]

        # check if any of the node present in the path satisfies the given condition
        print("Covered nodes between source: ", assigned_node, " and target: ", node_name, " are: ", nodes_in_path)
        check_sub_nodes(covered_node, sub_node_name, sub_node_value) == true

        print("All the sub-nodes matched. Ending search now...")
        output := allowedResponse
} else = output {
        output := denyResponse
}

I'm afraid OPA can't do that. Early exist is only possible for rules with constant values, output is not constant.

OPA needs to check all over values to ensure that there's no conflict. Imagine for some other binding of the values inside the rule body output would be something else -- it would be an evaluation time conflict that OPA would error with.

However, the rule output can be made constant if you replace allowedResponse with true, and omit the else branch:

authz_check_for_node_access := true { 
   # ...
} # no else

and adapt your other code accordingly. Then the expectation of EE for that rule would be valid.

from opa.

srenatus avatar srenatus commented on May 8, 2024

@johanfylling is this the same pattern as the other bug we've been discussing around EE lately?

from opa.

johanfylling avatar johanfylling commented on May 8, 2024

A fix for this issue has been merged to main, and will be part of the next OPA release.

Please note that Early Exit only applies to rules/functions with results known at compile-time. To have EE apply to the sample supplied in this issue, at least the "main" data.sample_rego.authz_check_for_node_access rule must be modified to not return a variable result, e.g.:

authz_check_for_node_access {
        # Get all the assigned node values given a role and node name that user already has
        assigned_nodes := get_user_node_values(node_name)

        assigned_node = assigned_nodes[_]
        print("Assigned node to look into: ", assigned_node)

        # get all the nodes present in path(s) between source and target if a path exists
        nodes_in_path = get_all_covered_nodes(assigned_node, node_to_search)
        covered_node = nodes_in_path[_]

        # check if any of the node present in the path satisfies the given condition
        print("Covered nodes between source: ", assigned_node, " and target: ", node_name, " are: ", nodes_in_path)
        check_sub_nodes(covered_node, sub_node_name, sub_node_value) == true

        print("All the sub-nodes matched. Ending search now...")
}

from opa.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.