Comments (4)
I believe this is one and the same, @srenatus.
We've already confirmed that this is an issue when doing multiple enumerations within the same rule body also when the rule has a constant result, so we should be able to adjust/simplify the provided example, and still see the behavior. I'll do that and report my findings here.
from opa.
It sounds like you're expecting this rule to exit on the first match?
authz_check_for_node_access = output {
# Get all the assigned node values given a role and node name that user already has
assigned_nodes := get_user_node_values(node_name)
assigned_node = assigned_nodes[_]
print("Assigned node to look into: ", assigned_node)
# get all the nodes present in path(s) between source and target if a path exists
nodes_in_path = get_all_covered_nodes(assigned_node, node_to_search)
covered_node = nodes_in_path[_]
# check if any of the node present in the path satisfies the given condition
print("Covered nodes between source: ", assigned_node, " and target: ", node_name, " are: ", nodes_in_path)
check_sub_nodes(covered_node, sub_node_name, sub_node_value) == true
print("All the sub-nodes matched. Ending search now...")
output := allowedResponse
} else = output {
output := denyResponse
}
I'm afraid OPA can't do that. Early exist is only possible for rules with constant values, output
is not constant.
OPA needs to check all over values to ensure that there's no conflict. Imagine for some other binding of the values inside the rule body output
would be something else -- it would be an evaluation time conflict that OPA would error with.
However, the rule output can be made constant if you replace allowedResponse
with true
, and omit the else
branch:
authz_check_for_node_access := true {
# ...
} # no else
and adapt your other code accordingly. Then the expectation of EE for that rule would be valid.
from opa.
@johanfylling is this the same pattern as the other bug we've been discussing around EE lately?
from opa.
A fix for this issue has been merged to main
, and will be part of the next OPA release.
Please note that Early Exit only applies to rules/functions with results known at compile-time. To have EE apply to the sample supplied in this issue, at least the "main" data.sample_rego.authz_check_for_node_access
rule must be modified to not return a variable result, e.g.:
authz_check_for_node_access {
# Get all the assigned node values given a role and node name that user already has
assigned_nodes := get_user_node_values(node_name)
assigned_node = assigned_nodes[_]
print("Assigned node to look into: ", assigned_node)
# get all the nodes present in path(s) between source and target if a path exists
nodes_in_path = get_all_covered_nodes(assigned_node, node_to_search)
covered_node = nodes_in_path[_]
# check if any of the node present in the path satisfies the given condition
print("Covered nodes between source: ", assigned_node, " and target: ", node_name, " are: ", nodes_in_path)
check_sub_nodes(covered_node, sub_node_name, sub_node_value) == true
print("All the sub-nodes matched. Ending search now...")
}
from opa.
Related Issues (20)
- OPA / blog HOT 1
- Make http headers available in the decision-log HOT 4
- I am making an api call in opa policy and when api throws an error or exception I need a way to track those errors in the console logs. Is there a way to customize decision logs and logs those errors with log level as error and also let's say I am middle of policy validation and one of the header is missing or some field is invalid I want to log such thing as error. So that when I look into container logs I should able to figure it out why opa allow decision is false HOT 1
- Extend `test` command to allow filtering package / file / test
- discovery: default decision not picked up HOT 1
- Add possibility to enrich decision logs from custom builtins
- rego.v1 import does not enable future keywords in query compiler
- Tests on the main branch fail HOT 3
- Bundle discovery issue when roots contains a space character
- Allow returning errors in HTTPTracingService HOT 5
- Flag to fail OPA runtime if some of the bundle was not found HOT 3
- Incorrect error message when keywords are used on the LHS of comprehensions
- object.subset method does not evaluate correctly for all subset permutations HOT 3
- A pre built binary for darwin/amd64 wasn't released at v0.64.0 HOT 3
- Support EKS Pod Identities for Signing S3 Bundle Requests HOT 1
- Arrays are not explained in the language description HOT 3
- [Documentation] No documentation for metric definitions HOT 1
- fmt: respect one-liner `if` expressions even when an `else` is present
- Type checker failure on referencing generated map with numeric keys HOT 1
- Performance impact switching to `some .. in` iteration syntax HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opa.