Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Using an "input" attribute for default decision queries results in "undefined_document" error #5344

Closed
anderseknert opened this issue Nov 2, 2022 · 8 comments · Fixed by #5420
Closed

Using an "input" attribute for default decision queries results in "undefined_document" error #5344

anderseknert opened this issue Nov 2, 2022 · 8 comments · Fixed by #5420
Assignees
@anderseknert
Labels
bug good first issue

Comments

@anderseknert
Copy link
Member

When querying OPA for the default decision (i.e. localhost:8181/), wrapping the input with an "input" attribute is incorrect, but the error message does nothing to hint at that:

{
  "code": "undefined_document",
  "message": "document missing or undefined: data.system.main"
}

Removing the input attribute from the request body and the same query works — the error message is thus misleading. We should fix the error message to let the user know why the query failed.
@srenatus
Copy link
Contributor

srenatus commented Nov 2, 2022

We should give a more differentiated answer. Is there no default policy, or is there one and the result is undefined?

@forgedbrew
Copy link

I'm also seeing this, but I'm not sure if it is related. I have not yet been able to determine what is causing this error. What exactly does this error mean?

I'm seeing this from the OPA pod logs:

{
  "code": "undefined_document",
  "message": "document missing or undefined: data.system.main"
}

And I'm seeing this in the kube-apiserver logs:

W1109 22:30:42.884443       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource
W1109 22:30:42.958890       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource
W1109 22:30:43.038070       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource
W1109 22:30:54.229130       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource

@srenatus
Copy link
Contributor

@forgedbrew this is impossible to answer without knowing your policy. I'd presume that it yields an undefined result for the input in question.

@anderseknert
Copy link
Member Author

@forgedbrew in most cases, it just means that OPA has not been provided any policy file that defines an authorization policy — i.e. one that protects the OPA endpoints themselves.

@forgedbrew
Copy link

Thank you, @srenatus and @anderseknert.

Does that pertain to both messages, or just the "undefined_document" message? We have been running OPA for a few years, but suddenly this week the kube-apiserver started spewing these logs, but we've made no recent changes.

W1109 22:30:42.884443       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource
W1109 22:30:42.958890       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource
W1109 22:30:43.038070       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource
W1109 22:30:54.229130       1 dispatcher.go:134] Failed calling webhook, failing closed [validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/): failed calling webhook "[validating-webhook.openpolicyagent.org](http://validating-webhook.openpolicyagent.org/)": the server could not find the requested resource

@anderseknert
Copy link
Member Author

It only pertains to the "undefined_document" error, but the error shown in the Kubernetes API server logs are likely a consequence of that. Strange how that would just pop up — we've not done any changes in that are in quite some time. How are your policies loaded into OPA? Is it via a mounted volume? And could that have changed somehow?

@forgedbrew
Copy link

Thanks, @anderseknert. We found the issue.

Someone created a DNS record for localhost, so it was resolving to an actual IP address instead of 127.0.0.1
Therefore, when the OPA pods started up and made their calls to obtain the policies from the ConfigMap, they failed and the OPA webhook didn't get the policies.

@anderseknert
Copy link
Member Author

Oh! Happy to hear it was resolved 👍

@anderseknert anderseknert self-assigned this Nov 18, 2022
@anderseknert anderseknert mentioned this issue Nov 28, 2022
Merged
anderseknert added a commit to anderseknert/opa that referenced this issue Nov 28, 2022
@anderseknert
default decision: differentiate between missing and undefined doc
69d2845 
Since "document missing or undefined" caused confusion, we can be
more helpful and report whether the default decision document is
missing, or whether it's there but undefined. I would probably have
preferred for undefined to just result in an empty/undefined result,
but that'd be quite a breaking change at this point in time, so
hopefully this can at least make things a little less convoluted.

Fixes open-policy-agent#5344

Signed-off-by: Anders Eknert <anders@eknert.com>
srenatus pushed a commit that referenced this issue Nov 29, 2022
@anderseknert
server: differentiate between missing and undefined doc in default de…
518507b 
…cision (#5420)

Since "document missing or undefined" caused confusion, we can be
more helpful and report whether the default decision document is
missing, or whether it's there but undefined. I would probably have
preferred for undefined to just result in an empty/undefined result,
but that'd be quite a breaking change at this point in time, so
hopefully this can at least make things a little less convoluted.

Fixes #5344

Signed-off-by: Anders Eknert <anders@eknert.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@anderseknert anderseknert

Labels
bug good first issue
Projects
Open Policy Agent
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

default decision: differentiate between missing and undefined doc anderseknert/opa
3 participants
@anderseknert @srenatus @forgedbrew