Support wasi for wasm builds

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.

https://www.openpolicyagent.org

Apache License 2.0

9.64k stars 1.34k forks source link

Support wasi for wasm builds #4932

Open kjartanm opened 2 years ago

kjartanm commented 2 years ago

Support for wasm in OPA is great, and the js loader works well! Thanks! :D

But as support for more 'native' wasm execution on serveless using wasi is getting more support, it would be great if the build process also could support wasi ready builds.

Something like: opa build -t wasi -e example/allow example.rego ?

A usecase is the support for wasi on Cloudflare Workers: https://blog.cloudflare.com/announcing-wasi-on-workers/ where the request body maps to the input document and returns the result?

Support for wasi in OPA would mean that you could directly deploy a service with no JS-glue, and that could work similar to how the REST-API endpoint for query works.

srenatus commented 2 years ago

It's on my radar at least. I've been looking into ways to wrap, or basically link, the OPA wasm module into different shells, i.e. wasm modules that call the exported methods, like opa_eval, but expose an ABI that fits into other places. I think that way, we don't have to hardcore "wasi-for-cloudflare", "wasi-for-fastly", "wasi-for-xyz" into the OPA build command, but keep things composable.

Do you have a specific example use in mind?

kjartanm commented 2 years ago

Yes, hopefully wasi will reduce the need for vendor specific implementations. Currently it seems using STDIN and STDOUT is the way to go. So a possible test case could be somethning like this:

If we use the Opa REST-API query example as a starting point (https://www.openpolicyagent.org/docs/latest/rest-api/#example-request-10), and compiles it to wasi-enabled wasm, it could be tested in the following way using wasmtime:

echo "{\"user\": [\"alice\"]}" | wasmtime run example1.wasm

should return "hello, alice".

And if this is deployed on cloudflare, the following should be equivalent:

curl -X POST -H "Content-Type: application/json" -d "{\"user\": [\"alice\"]}" http://example1.cloudflare.com
curl -X POST -H "Content-Type: application/json" -d "{\"user\": [\"alice\"]}" https://oparestapi.com/example1

Does this make sense?

srenatus commented 2 years ago

It does, but do we know of any other system that works like this? How are headers represented? (WAGI?)

And if this is deployed on cloudflare, the following should be equivalent: [...]

That's true, insofar as data is not involved. So we'd be able to make use of "stateless OPA" only.

stale[bot] commented 2 years ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] commented 1 year ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] commented 1 year ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.