-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot get policy to work when using external data #3423
Comments
Regarding issue 1: You don't need to key your input on the key "input" in the playground. For example, see this. |
The playground does not require or expect |
ok thanks for the quick response/help. It seems like I do need the
Does the path where I upload the data to (/v1/data/roles above) matter? thx |
I realized I needed to upload the data to /v1/data and not under /v1/data/roles. I guess then Issue #2 is resolved. I figured if it was uploaded under /v1/data/roles then I would be accessing it as "data.**roles.**Roles['Role5']" instead... thx |
I have two issues.
Issue 1:
I have this simple policy with some data and sample input in rego playground. It evaluates to false with that input and I am not sure I understand why. I expected it to evaluate the allow to true.
One of the rules refers to external data (issue title) but right now even the other two rules not relying on external data do not evaluate to true.
Specifically, what could I be missing with the "is_role5" rule in terms of the policy content, how it is referencing data or the data itself?
Issue 2:
I am running latest version of openpolicyagent/opa:latest container image as a standalone server. I have added/uploaded the same policy and data to my OPA server as in rego playground above. I confirmed they are loaded properly by querying them ok.
I used the following to evaluate the policy:
curl -X POST http://$OPA_SVC/v1/data/stresstest/authz/allow -H "Content-Type: application/json" -d@<input.json>
When the input.json has either of the following contents, the policy evaluates to {"result":true} as one would expect. Note this does not work in rego playground.
{ "input": { "method": "GET", } } { "input": { "subject": { "groups": ["admin", "dev"] } } }
When the input.json has following contents, and using the same curl cmd above to evaluate, it evaluates to false. I am interested in getting this to work; currently it does not seem to work in my OPA server and in rego playground either.
{ "input": { "user": "user61" } }
Thanks for any pointers/help.
KB
The text was updated successfully, but these errors were encountered: