Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot get policy to work when using external data #3423

Closed
kyle-burnette opened this issue Apr 29, 2021 · 4 comments
Closed

Cannot get policy to work when using external data #3423

kyle-burnette opened this issue Apr 29, 2021 · 4 comments

Comments

@kyle-burnette
Copy link

I have two issues.
Issue 1:
I have this simple policy with some data and sample input in rego playground. It evaluates to false with that input and I am not sure I understand why. I expected it to evaluate the allow to true.
One of the rules refers to external data (issue title) but right now even the other two rules not relying on external data do not evaluate to true.
Specifically, what could I be missing with the "is_role5" rule in terms of the policy content, how it is referencing data or the data itself?

Issue 2:
I am running latest version of openpolicyagent/opa:latest container image as a standalone server. I have added/uploaded the same policy and data to my OPA server as in rego playground above. I confirmed they are loaded properly by querying them ok.

I used the following to evaluate the policy:
curl -X POST http://$OPA_SVC/v1/data/stresstest/authz/allow -H "Content-Type: application/json" -d@<input.json>

When the input.json has either of the following contents, the policy evaluates to {"result":true} as one would expect. Note this does not work in rego playground.
{ "input": { "method": "GET", } } { "input": { "subject": { "groups": ["admin", "dev"] } } }
When the input.json has following contents, and using the same curl cmd above to evaluate, it evaluates to false. I am interested in getting this to work; currently it does not seem to work in my OPA server and in rego playground either.
{ "input": { "user": "user61" } }

Thanks for any pointers/help.
KB

@ashutosh-narkar
Copy link
Member

Regarding issue 1: You don't need to key your input on the key "input" in the playground. For example, see this.

@anderseknert
Copy link
Member

The playground does not require or expect input to be a defined attribute in the input. Either remove that or change your policy to refer to input.input.

@kyle-burnette
Copy link
Author

kyle-burnette commented Apr 29, 2021

ok thanks for the quick response/help.
That took care of Issue #1.

It seems like I do need the input when evaluating the policy/rules using OPA's rest api. Because with the same first two inputs (as below) the policy's allow does evaluate to true.
{ "input": { "method": "GET" } }

{ "input": { "subject": { "groups": ["admin", "dev"] } } }
But in my OPA server instance with same policy (attached) and same external data (attached) with this input { "input": { "user": "user61" } } it evaluates is_role5 and allow to false.
The policy & data was uploaded using these cmds:
curl -X PUT -H "Content-Type: text/plain" http://$OPA_SVC/v1/policies/stresstest --data-binary @stp.rego
curl -X PUT -H "Content-Type: application/json" http://$OPA_SVC/v1/data/roles --data-binary @roles.json

Does the path where I upload the data to (/v1/data/roles above) matter?

thx
KB
policy-and-data-files.zip

@kyle-burnette
Copy link
Author

kyle-burnette commented Apr 29, 2021

I realized I needed to upload the data to /v1/data and not under /v1/data/roles.

I guess then Issue #2 is resolved. I figured if it was uploaded under /v1/data/roles then I would be accessing it as "data.**roles.**Roles['Role5']" instead...

thx
KB

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants