search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.61k stars 1.33k forks source link

Providing multiple input to REGO - Question #2687

Closed Jeyakumardevarajulu closed 4 years ago

Jeyakumardevarajulu commented 4 years ago

I have to refer multiple json files as input for a Rego file and I have tried to execute with below command

opa eval -i input.json -d testPolicy.rego -d user_groups.json -d records.json "data"

But when I try to access the attributes of user_groups.json it shows

from rego I am accessing like below

user_groups.user_name

below is the user_groups.json { "jk@lti.com": { "groups": [ { "name": "service.validator", }, { "name": "service.search", }, { "name": "service.view,", } ] } }

Expected Behavior

Actual Behavior

{ "errors": [ { "message": "var user_groups is unsafe", "code": "rego_unsafe_var_error", "location": { "file": "testPolicy.rego", "row": 46, "col": 25 } } ] }

Steps to Reproduce the Problem

Additional Info

patrick-east commented 4 years ago

Please provide more information about the policy (please share the full Rego file if possible) and how you are using OPA (eg, opa eval .. on the CLI, via REST API, etc).

The error message of var user_groups is unsafe could be caused by a number of things. At a guess when you are referencing user_groups.user_name you are not using the right path. You can "view" the full loaded document if you query for data. Be sure to read through https://www.openpolicyagent.org/docs/latest/philosophy/#the-opa-document-model to get an understanding of how the documents are structured in OPA.

Jeyakumardevarajulu commented 4 years ago

Hi Patrick,

This is the command i am using to execute rego file, is it possible to provide multiple file as data? in below case it is user_groups.json and records.json?

opa eval -i input.json -d testPolicy.rego -d user_groups.json -d records.json "data"

patrick-east commented 4 years ago

is it possible to provide multiple file as data

Yes, and you are providing them correctly on the CLI.

If you would like more help troubleshooting the policy you'll need to share more of the policy. It is hard to give any guidance with the info currently provided.

Jeyakumardevarajulu commented 4 years ago

Hi Patrick,

Below is the simple rego file provided to access the values from

testPolicy_test.rego

package rbac.authz is_user_owner_or_viewer[input_testing.users] { true }

input_testing.json

{ "users": { "jk@lti.com": { "email": "jk@lti.com", "userrole" : "viewers" } }, "usergroups": { "jk@lti.com": { "groups": [ { "name": "admin", "email": "owner@lti.com" }, { "name": "user,", "email": "user@lti.com" }, { "name": "viewer", "email": "view@lti.com" } ] } } }

Below is the command that I have executed

opa eval -i input_testing.json -d testPolicy_test.rego -d data_testing.json "data"

{ "errors": [ { "message": "var input_testing is unsafe", "code": "rego_unsafe_var_error", "location": { "file": "testPolicy_test.rego", "row": 2, "col": 25 } } ] }

Is it always input file should be input.json and data file should be always data.json, can't we specify any other json file names?

patrick-east commented 4 years ago

I think there is maybe some confusion around how to reference the data in the documents. In the policy you have input_testing.users which is saying for some variable input_testing reference the "users" key. That variable doesn't exist anywhere, hence the error.

I'm assuming what you meant was to reference the input document, which you supplied on the CLI with -i input_testing.json. It is important to note that the contents of that file will be found under input.* in OPA, the filename is not used anywhere.

You can see this by querying for input like: 

{11:40} /t/2687 ❯ opa eval -i input_testing.json -f pretty 'input'
{
  "usergroups": {
    "jk@lti.com": {
      "groups": [
        {
          "email": "owner@lti.com",
          "name": "admin"
        },
        {
          "email": "user@lti.com",
          "name": "user,"
        },
        {
          "email": "view@lti.com",
          "name": "viewer"
        }
      ]
    }
  },
  "users": {
    "jk@lti.com": {
      "email": "jk@lti.com",
      "userrole": "viewers"
    }
  }
}

With that in mind, try changing the policy to:

package rbac.authz

is_user_owner_or_viewer[input.users] {
    true
}

Going back to the original issue I see now that you had a similar problem with a data file (-d user_groups.json and the error when you referenced user_groups.user_name). Again the filename is not used when loading data into the data.* paths. The only caveat is when you specify a directory with -d or -b where the contents of the data files will be loaded at a path prefixed by the directory path it was found, eg opa eval -d ./foo ... where some data file is in ./foo/a/b/c/data.json will have the contents of data.json loaded into data.a.b.c.<contents>.

Jeyakumardevarajulu commented 4 years ago

Hi Patrick,

  If I understand your statement correctly , we can specify input file as input.json, not any other file name such as input1.json etc. Same with case of data files as well.

Thanks JK

patrick-east commented 4 years ago

No, the file you pass in with the -i/--input parameter can be named anything, it will always be in OPA document structure under input.*

For files the name only matters if using bundles https://www.openpolicyagent.org/docs/latest/management/#bundle-file-format otherwise the paramaters for -d/--data again can have any file name.

patrick-east commented 4 years ago

Closing the issue out, I think the original issue has been solved. If there are further questions/issues feel free to reopen 😄