search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.63k stars 1.34k forks source link

OPA could have option for better output of the partial result (SQL) #6033

Closed henesm closed 1 year ago

henesm commented 1 year ago

I am writing this ticket as the other one, where this was asked did not have answer and was closed. (https://github.com/open-policy-agent/opa/issues/830#issuecomment-972787828) If I introduce unknows, then the result is in some format not really readable. I found the example where the result should be parsed to a SQL working in SQLite, but that piece of code has been marked as experimental and also only in python.

What is the underlying problem you're trying to solve?

Basically I`m trying to implement ABAC authorization policy, and for basic evaluation, the OPA seems as perfect candidate, but when it comes to LISTs or PAGINATIONs, things starts to go complex...

When I make request with unknown data.employees and input.user.name = tom on policy containing input.user.name == data.employees[_].name Then I get result that look like this:

{
  "result": {
    "queries": [
      [
        {
          "index": 0,
          "terms": [
            {
              "type": "ref",
              "value": [
                {
                  "type": "var",
                  "value": "eq"
                }
              ]
            },
            {
              "type": "string",
              "value": "tom"
            },
            {
              "type": "ref",
              "value": [
                {
                  "type": "var",
                  "value": "data"
                },
                {
                  "type": "string",
                  "value": "employees"
                },
                {
                  "type": "var",
                  "value": "$11"
                },
                {
                  "type": "string",
                  "value": "name"
                }
              ]
            }
          ]
        }
      ]
    ]
  }
}

As you can imagine, this is really hard to transform to SQL without knowing the different possible results.

Describe the ideal solution

Could there be an option for different output format? Maybe something like:

{
  "result": {
    "queries": [
      "'tom' IN (SELECT name FROM employee)"
    ]
  }
}

I dont know about the format, it seems rather wrong, but I hope the idea is there...

Additional Context

I can imagine this being a little bit too complex, but without it Im not sure how can I use it. If you have any other solutions, or maybe some libraries for parsing the JSON, then I would be happy to see them

ashutosh-narkar commented 1 year ago

@henesm It's not clear to me what format you're looking for or if there is something in OPA proper we can do at this time. This seems to be an opportunity to enhance the existing Data filtering example we have and I would encourage you to look into that and contribute back to the project if that's something you're interested in. Hence closing this for now.