Open Policy Agent
Partial evaluation condition location #548
Replies: 3 comments 15 replies
-
From which version are you upgrading? This could be a side effect related to ref head rules, but it's hard to tell without knowing your policy. There was no general "move stuff to support modules" bullet point because there hasn't been any such effort. |
Beta Was this translation helpful? Give feedback.
-
|
I'm currently upgrading from version 0.55.0. However, I'm starting to wonder if the difference is not a result of the upgrade but rather a result of changes made to the policy file. My policy looks something like this: `package sas.types.authz import future.keywords.contains default allow := false default grant := false default deny := false default authenticated_user := false default guest := false default current_user := "" claims := payload if { guest := g if { authenticated_user := a if { current_user := u if { current_user := claims.user_name everyone := e if { everyone := e if { all service rulesrule id: 1cecb68e-ea07-4e63-8c8d-47b5fdefa596grant if { rule id: 20df631c-73f2-40b3-92da-577860e4fc68grant if { Additional rules of similar structureservice specific rulesrule id: 3b31e89d-ed9e-475f-b8f8-cec1f54a2703grant if { rule id: 800d2c60-3540-46a3-bc45-85a468b0ee9cgrant if { rule id: 72f043a5-3c45-41ed-9365-d81d758b5bb2deny if { } rule id: 210f694f-e176-48df-9a45-73fc67b46daagrant if { rule id: f6332789-f9e0-4ca9-b49a-691cf889880dgrant if { additional rules of similar structurebulk decisionbulk_decisions contains result if { granted_links contains request if { denied_links contains request if { denied_links contains request if { bulk_decision := {"grantedLinks": granted_links} simple decisionsimple_decision contains result if { allow if { There were a couple recent changes made to the structure of the policy since I tested partial evaluation initially.
Would these changes impact the output of partial evaluation? |
Beta Was this translation helpful? Give feedback.
-
That's quite substantial changes, so I'd say "sure", but also -- do you bother much about the PE result changes? If so, why? |
Beta Was this translation helpful? Give feedback.
-
|
Yes, the partial evaluation changes are impactful to us as we are using the returned information to build a criteria clause for a SQL Statement. Some of our authorization rules use ABAC and require information from the row in the database to make a decision. So we would prefer to filter the data at the database level in this case. FWIW, this is the blog post we have been referring to: The documentation on the following page shows the partial evaluation information required to build the criteria clause showing up in the query section of the result. Is the information on the page out of date? Or could it be missing some information with respect to output and how the policy is defined? In general, I wasn't expecting the structure of the policy to affect the structure of the output for a partial evaluation call. |
Beta Was this translation helpful? Give feedback.
-
|
My guess is it's the |
Beta Was this translation helpful? Give feedback.
-
|
I commented out the following two defaults and ran the OPA cli. default allow := false
The output of the command with the "-f pretty" option is: Here is the output without the "-f pretty" option. The information required to build the SQL criteria clause still appears to be in the modules -> rules sections of the output. |
Beta Was this translation helpful? Give feedback.
-
|
What is the original form of the optimized |
Beta Was this translation helpful? Give feedback.
-
|
Thinking about it, since it's the optimized rule ( It might even be the |
Beta Was this translation helpful? Give feedback.
-
|
Attaching the input file and policy file for completeness. We can certainly consider parsing the information out of the modules/rules section if that is the right answer. However, I have some concern with doing that as it is unclear if a future modification to our policy will result in structural changes to the output again. |
Beta Was this translation helpful? Give feedback.
-
That's understandable. But since partial eval is eval of a policy, changing the policy can change the outcome. That's a fundamental limitation of the PE-and-SQL approach. It doesn't mean it cannot be made to work, but it requires some care and attention. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the explanation! That makes sense now. I don't think this will prevent us from using the partial evaluation functionality as I assume once our policy structure stabilizes the partial evaluation output should as well. In addition, our automated tests should catch any unexpected output and thus limit the risk of us delivering broken functionality as a result of a policy change. |
Beta Was this translation helpful? Give feedback.
-
|
Is it still possible to rely on the Query portion of the output to determine if the decision is unconditionally granted or partially granted as mentioned in the table found on this page: https://www.openpolicyagent.org/docs/latest/rest-api/#partially-evaluate-a-query The reason I'm asking is if I swap the token for one that is an administrator I would expect to receive an unconditional decision. However, I don't see an empty query in the response. I've confirmed I do receive an allow=true decision when dropping the partial evaluation arguments (-p -u "data.resources") from the command with the administrator token. Just looking to make sure I understand how to interpret the output correctly. Output: |
Beta Was this translation helpful? Give feedback.
-
|
Any thoughts on my previous question? Also, is there any documentation or unit tests that might help with understanding the AST better with respect to a partial evaluation decision? |
Beta Was this translation helpful? Give feedback.
-
|
I'm guessing that the "with" was inhibiting some things here. Can you retry this with your current set of policies? |
Beta Was this translation helpful? Give feedback.
-
|
Seeing the following error when attempting to use the "some" keyword in the rule conditions defined in the array of the function. Is the some keyword not supported in this case? Or is there an alternative syntax that should be used? I suspect it might be the latter so I tried poking around in the OPA source code but didn't have any luck finding an example like this.
|
Beta Was this translation helpful? Give feedback.
-
|
You can't use iteration directly inside of a set, but I guess you could turn it into a comprehension, like: {match |
some resource1 in data.resources
match := resource1.createdBy == claims.client_id
} == {true} |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! That's working for this use case. I'm also converting the authorities array from the token into a set using the following syntax as described here:
When I attempt to use 'groups' in a rule condition this syntax works:
However, the syntax described here to check if the value exists doesn't appear to work.
Am I am misunderstanding how this should work? In our use case a token may have many authorities so I was hoping to optimize the check by using a set instead of an array. One additional thing that I noticed is that the use of "not" results in the following parse error.
Is 'not' disallowed when using an array of sets to define the rule condition? I guess I'm trying to understand what is allowed/disallowed when using this approach to defining the rule conditions? Playground example: |
Beta Was this translation helpful? Give feedback.
-
I'm in the process of upgrading to version 0.60 of OPA and I noticed that the location of the partial evaluation condition information in a response appears to have moved from the body of the Queries field to underneath the modules rules section. I looked over release notes but didn't find anything that mentioned this change. However, maybe I missed it. Can you confirm if the location has changed?
{
"partial": {
"queries": [
[
{
"index": 0,
"terms": {
"type": "ref",
"value": [
{
"type": "var",
"value": "data"
},
{
"type": "string",
"value": "partial"
},
{
"type": "string",
"value": "sas"
},
{
"type": "string",
"value": "audit"
},
{
"type": "string",
"value": "authz"
},
{
"type": "string",
"value": "allow"
}
]
}
}
]
],
"modules": [
{
"package": {
"path": [
{
"type": "var",
"value": "data"
},
{
"type": "string",
"value": "partial"
},
{
"type": "string",
"value": "sas"
},
{
"type": "string",
"value": "audit"
},
{
"type": "string",
"value": "authz"
}
]
},
"rules": [
{
"body": [
{
"index": 0,
"terms": {
"type": "boolean",
"value": true
}
}
],
"default": true,
"head": {
"name": "allow",
"value": {
"type": "boolean",
"value": false
},
"ref": [
{
"type": "var",
"value": "allow"
}
]
}
},
{
"body": [
{
"index": 0,
"terms": [
{
"type": "ref",
"value": [
{
"type": "var",
"value": "eq"
}
]
},
{
"type": "ref",
"value": [
{
"type": "var",
"value": "data"
},
{
"type": "string",
"value": "partial"
},
{
"type": "string",
"value": "sas"
},
{
"type": "string",
"value": "audit"
},
{
"type": "string",
"value": "authz"
},
{
"type": "string",
"value": "grant"
}
]
},
{
"type": "var",
"value": "$_term_1_21"
}
],
"with": [
{
"target": {
"type": "ref",
"value": [
{
"type": "var",
"value": "data"
},
{
"type": "string",
"value": "request"
}
]
},
"value": {
"type": "object",
"value": [
[
{
"type": "string",
"value": "permission"
},
{
"type": "string",
"value": "read"
}
],
[
{
"type": "string",
"value": "uri"
},
{
"type": "string",
"value": "/audit/entries/123"
}
]
]
}
}
]
},
{
"index": 1,
"terms": {
"type": "var",
"value": "$_term_1_21"
}
}
],
"head": {
"name": "allow",
"value": {
"type": "boolean",
"value": true
},
"ref": [
{
"type": "var",
"value": "allow"
}
]
}
},
{
"body": [
{
"index": 0,
"terms": {
"type": "boolean",
"value": true
}
}
],
"default": true,
"head": {
"name": "grant",
"value": {
"type": "boolean",
"value": false
},
"ref": [
{
"type": "var",
"value": "grant"
}
]
}
},
{
"body": [
{
"index": 0,
"terms": [
{
"type": "ref",
"value": [
{
"type": "var",
"value": "eq"
}
]
},
{
"type": "string",
"value": "wfuser1"
},
{
"type": "ref",
"value": [
{
"type": "var",
"value": "data"
},
{
"type": "string",
"value": "resources"
},
{
"type": "var",
"value": "__local51__36"
},
{
"type": "string",
"value": "user"
}
]
}
]
}
],
"head": {
"name": "grant",
"value": {
"type": "boolean",
"value": true
},
"ref": [
{
"type": "var",
"value": "grant"
}
]
}
}
]
}
]
}
}
Beta Was this translation helpful? Give feedback.
All reactions