Open chippyash opened 4 months ago
Linting rules: Your linting rules require a flat interpretation of a rule at https://play.openpolicyagent.org/ e.g.
allow if {
# split the permission
perm_parts := split(input.permission, ":")
# parse the action
action := perm_parts[2]
# parse the resource
resource := concat(":", array.slice(perm_parts, 0, 2))
print("Query User:", input.user, "Resource:", resource, "Action:", action)
# lookup the list of roles for the user
roles := user_roles[input.user]
# for each role in that list
r := roles[_]
print("Checking Role:", r)
# lookup the permissions list for role r
permissions := role_permissions[r]
# for each permission
p := permissions[_]
# check if the permission granted to r matches the user's request
print("Evaluating:", p)
bits.and(to_number(glob.match(p.resource, [], resource)), to_number(glob.match(p.action, [], action)))
}
As this is a declarative language it makes much more sense to display looping thus:
allow if {
# split the permission
perm_parts := split(input.permission, ":")
# parse the action
action := perm_parts[2]
# parse the resource
resource := concat(":", array.slice(perm_parts,0,2))
print("Query User:", input.user, "Resource:", resource, "Action:", action)
# lookup the list of roles for the user
roles := user_roles[input.user]
# for each role in that list
r := roles[_]
print("Checking Role:", r)
# lookup the permissions list for role r
permissions := role_permissions[r]
# for each permission
p := permissions[_]
# check if the permission granted to r matches the user's request
print("Evaluating:", p)
bits.and(to_number(glob.match(p.resource, [], resource)), to_number(glob.match(p.action, [], action)))
}
There is some pythonesq stuff going on, and as I'm very new, I find the single indent very difficult to navigate. This is only a short example, adapted from the RBAC examplar but my example reads a lot clearer than the linted version.
Regards Ashley
The Rego Playground is set up to run all of the Regal linter rules by default, but that's just a default set for the purpose of the playground. There is no requirement to agree with all of the rules :) If you download Regal yourself, you can easily disable any rule you disagree with, like the opa-fmt
rule. Here's an example of a Regal configuration file to disable the formatter rule:
.regal/config.yaml
rules:
style:
opa-fmt:
level: ignore
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.
Organization Name
Zinc Digital Business Systems
Organization Website
zinc.systems
Organization Logo (optional)
No response
How is your organization using OPA?
Implementing RBAC ACL controls
Source Code Link (optional)
No response
Want to link blogs or videos? Share them here.
No response
Update entry