search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.67k stars 1.34k forks source link

"detected overlapping roots in bundle manifest" with opa eval -b #5493

Open charlesdaniels opened 1 year ago

charlesdaniels commented 1 year ago

Description

When running opa eval with multiple instance of -b, the error detected overlapping roots in bundle manifest appears. Although overlapping root detection is a valuable security measure when using OPA as a server, it can make development and debugging with opa eval more challenging. To this end, I propose we should:

  1. Introduce a new configuration flag to ActivateOpts to disable overlapping root detection.
  2. Expose the new flag to the opa eval command.

Example

$ tree .
.
├── bundle1
│   └── bundle1.rego
└── bundle2
    └── bundle2.rego

2 directories, 2 files
$ cat bundle1/bundle1.rego
package bundle1

foo := "bar"
$ cat bundle2/bundle2.rego
package bundle2

spam := "ham"
$ opa eval -f pretty -b ./bundle1/ data
{
  "bundle1": {
    "foo": "bar"
  }
}
$ opa eval -f pretty -b ./bundle2/ data
{
  "bundle2": {
    "spam": "ham"
  }
}
$ opa eval -f pretty -b ./bundle1/ -b ./bundle2/ data
1 error occurred: detected overlapping roots in bundle manifest with: [./bundle2/ ./bundle1/]

Notice that in the example above, both of the two Rego files have different packages and could be evaluated together without collisions. In a production setting, the error shown could be avoided by writing proper bundle manifests for each bundle, but this is inconvenient to do when debugging.

OPA Version

$ opa version
Version: 0.45.0
Build Commit: 523c285bcc417b2ec8a26b0a248407b1e840d488
Build Timestamp: 2022-10-07T18:38:08Z
Build Hostname: Mac-1665168894461.local
Go Version: go1.19.2
Platform: darwin/arm64
WebAssembly: unavailable
charlesdaniels commented 1 year ago

There is a workaround, which is to do the following:

$ opa eval -f pretty -d ./bundle1/ -d ./bundle2/ data
{
  "bundle1": {
    "foo": "bar"
  },
  "bundle2": {
    "spam": "ham"
  }
}

I think there could still be some use cases where disabling overlapping root detection could be useful for opa eval, but this workaround does work for my use case.

(thanks Torin!)

stale[bot] commented 1 year ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.