-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
glob.match function does not default delimiter like the docs describe #2039
Comments
It seems to be an issue with the globbing of |
@FredrikAppelros thanks for filing this (and btw, this is an excellent bug report...) Executing the query with the partial eval optimization enabled does return a different answer. With tracing enabled we can see what's different:
This line suggests the rule indexer is to blame: EDIT: whoops, hit enter too soon.
The rule indexer builds a trie/multi-dimensional index out of If we partially evaluate the policy we can see what's actually be evaluated when ?partial is used:
If the last expression in the Now, the interesting thing is that I would NOT have expected
The reason the partially evaluated policy returns a different answer is that the expression has been simplified to the point where the rule indexer can understand it. The rule indexer implements the defaulting described in the docs: Line 716 in 4ffd5ff
It looks like the built-in function in the evaluator has not implemented defaulting described in the docs: https://github.com/open-policy-agent/opa/blob/master/topdown/glob.go#L39. The solution would appear to be a simple fix in the evaluator's built-in implementation that checks if the delimiter slice is empty and defaults to cc @aeneasr do you have any thought son what the correct behaviour is for the built-in function? See the four REPL examples above (per the docs the built-in is supposed to default the delimiters to |
Thank you for the detailed explanation and quick response! |
The documentation says that the default delimeter for glob is `["."]` but the implementation did not actually do this (for the normal built in). This corrects the implementation to actually default to the correct value when it is omitted. Fixes: open-policy-agent#2039 Signed-off-by: Patrick East <[email protected]>
The documentation says that the default delimeter for glob is `["."]` but the implementation did not actually do this (for the normal built in). This corrects the implementation to actually default to the correct value when it is omitted. Fixes: #2039 Signed-off-by: Patrick East <[email protected]>
Expected Behavior
Queries for a particular document should return the same result both with and without the
partial
parameter as detailed here.Using the policy and request given below we would expect the following response:
Actual Behavior
We receive expected response when querying the document without the
partial
parameter. However when we add it we instead get the following response:Steps to Reproduce the Problem
opa run -s authz.rego
partial
parameter:curl "http://localhost:8181/v1/data/authz/allow" -d '{"input": {"user": {"name": "bob", "groups": ["admins"]}, "resource": {"name": "foo"}, "operation": "foo.read"}}'
partial
parametercurl "http://localhost:8181/v1/data/authz/allow?partial" -d '{"input": {"user": {"name": "bob", "groups": ["admins"]}, "resource": {"name": "foo"}, "operation": "foo.read"}}'
Additional Info
Use the following request body when calling the data API:
You can find example code of the issue in this gist.
The text was updated successfully, but these errors were encountered: