How to mask certain fields in opa http response ?

[um3sh]

I am able to mask sensitive data in decision logs but not in the http response, eg:

I want to use temporary variables in policy file like foo which stores some sensitive data but that is returned in the result payload.

policy

package httpapi.authz

default allow = false

foo := "bar"

allow {
    input.method == "GET"
}

policy_log.rego

package system.log

mask[
  {
    "op": "remove",
   "path": "/result/foo"
  }
]

curl -X GET localhost:8181/v1/data/httpapi/authz

{
  "decision_id": "...",
  "result": {
    "allow":  true
    "foo": "bar"
  }
}

How do I mask some fields in /v1/data/ response ?

[srenatus]

How do I mask some fields in /v1/data/ response ?

There is no masking for the data API, but you'd typically query for a rule: add /allow to the request path, like in this example:

curl -X GET localhost:8181/v1/data/httpapi/authz/allow

{
  "decision_id": "...",
  "result": true
}

[anderseknert]

Adding to what @srenatus said — if you'd like to restrict users to only have access to a particular path, you may do so via OPA's authentication and authorization capabilities.