Closed Jeyakumardevarajulu closed 4 years ago
Please provide more information about the policy (please share the full Rego file if possible) and how you are using OPA (eg, opa eval ..
on the CLI, via REST API, etc).
The error message of var user_groups is unsafe
could be caused by a number of things. At a guess when you are referencing user_groups.user_name
you are not using the right path. You can "view" the full loaded document if you query for data
. Be sure to read through https://www.openpolicyagent.org/docs/latest/philosophy/#the-opa-document-model to get an understanding of how the documents are structured in OPA.
Hi Patrick,
This is the command i am using to execute rego file, is it possible to provide multiple file as data? in below case it is user_groups.json and records.json?
opa eval -i input.json -d testPolicy.rego -d user_groups.json -d records.json "data"
is it possible to provide multiple file as data
Yes, and you are providing them correctly on the CLI.
If you would like more help troubleshooting the policy you'll need to share more of the policy. It is hard to give any guidance with the info currently provided.
Hi Patrick,
Below is the simple rego file provided to access the values from
testPolicy_test.rego
package rbac.authz is_user_owner_or_viewer[input_testing.users] { true }
input_testing.json
{ "users": { "jk@lti.com": { "email": "jk@lti.com", "userrole" : "viewers" } }, "usergroups": { "jk@lti.com": { "groups": [ { "name": "admin", "email": "owner@lti.com" }, { "name": "user,", "email": "user@lti.com" }, { "name": "viewer", "email": "view@lti.com" } ] } } }
Below is the command that I have executed
opa eval -i input_testing.json -d testPolicy_test.rego -d data_testing.json "data"
{ "errors": [ { "message": "var input_testing is unsafe", "code": "rego_unsafe_var_error", "location": { "file": "testPolicy_test.rego", "row": 2, "col": 25 } } ] }
Is it always input file should be input.json and data file should be always data.json, can't we specify any other json file names?
I think there is maybe some confusion around how to reference the data in the documents. In the policy you have input_testing.users
which is saying for some variable input_testing
reference the "users"
key. That variable doesn't exist anywhere, hence the error.
I'm assuming what you meant was to reference the input
document, which you supplied on the CLI with -i input_testing.json
. It is important to note that the contents of that file will be found under input.*
in OPA, the filename is not used anywhere.
You can see this by querying for input
like:
{11:40} /t/2687 ❯ opa eval -i input_testing.json -f pretty 'input'
{
"usergroups": {
"jk@lti.com": {
"groups": [
{
"email": "owner@lti.com",
"name": "admin"
},
{
"email": "user@lti.com",
"name": "user,"
},
{
"email": "view@lti.com",
"name": "viewer"
}
]
}
},
"users": {
"jk@lti.com": {
"email": "jk@lti.com",
"userrole": "viewers"
}
}
}
With that in mind, try changing the policy to:
package rbac.authz
is_user_owner_or_viewer[input.users] {
true
}
Going back to the original issue I see now that you had a similar problem with a data file (-d user_groups.json
and the error when you referenced user_groups.user_name
). Again the filename is not used when loading data into the data.*
paths. The only caveat is when you specify a directory with -d
or -b
where the contents of the data files will be loaded at a path prefixed by the directory path it was found, eg opa eval -d ./foo ...
where some data file is in ./foo/a/b/c/data.json
will have the contents of data.json
loaded into data.a.b.c.<contents>
.
Hi Patrick,
If I understand your statement correctly , we can specify input file as input.json, not any other file name such as input1.json etc. Same with case of data files as well.
Thanks JK
No, the file you pass in with the -i
/--input
parameter can be named anything, it will always be in OPA document structure under input.*
For files the name only matters if using bundles https://www.openpolicyagent.org/docs/latest/management/#bundle-file-format otherwise the paramaters for -d
/--data
again can have any file name.
Closing the issue out, I think the original issue has been solved. If there are further questions/issues feel free to reopen 😄
I have to refer multiple json files as input for a Rego file and I have tried to execute with below command
opa eval -i input.json -d testPolicy.rego -d user_groups.json -d records.json "data"
But when I try to access the attributes of user_groups.json it shows
from rego I am accessing like below
user_groups.user_name
below is the user_groups.json { "jk@lti.com": { "groups": [ { "name": "service.validator", }, { "name": "service.search", }, { "name": "service.view,", } ] } }
Expected Behavior
Actual Behavior
{ "errors": [ { "message": "var user_groups is unsafe", "code": "rego_unsafe_var_error", "location": { "file": "testPolicy.rego", "row": 46, "col": 25 } } ] }
Steps to Reproduce the Problem
Additional Info