search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.57k stars 1.33k forks source link

zinc.systems has adopted OPA #6776

Open chippyash opened 4 months ago

chippyash commented 4 months ago

Organization Name

Zinc Digital Business Systems

Organization Website

zinc.systems

Organization Logo (optional)

No response

How is your organization using OPA?

Implementing RBAC ACL controls

Source Code Link (optional)

No response

Want to link blogs or videos? Share them here.

No response

Update entry

chippyash commented 4 months ago

Linting rules: Your linting rules require a flat interpretation of a rule at https://play.openpolicyagent.org/ e.g.

allow if {
    # split the permission
    perm_parts := split(input.permission, ":")

    # parse the action
    action := perm_parts[2]

    # parse the resource
    resource := concat(":", array.slice(perm_parts, 0, 2))
    print("Query User:", input.user, "Resource:", resource, "Action:", action)

    # lookup the list of roles for the user
    roles := user_roles[input.user]

    # for each role in that list
    r := roles[_]
    print("Checking Role:", r)

    # lookup the permissions list for role r
    permissions := role_permissions[r]

    # for each permission
    p := permissions[_]

    # check if the permission granted to r matches the user's request
    print("Evaluating:", p)
    bits.and(to_number(glob.match(p.resource, [], resource)), to_number(glob.match(p.action, [], action)))
}

As this is a declarative language it makes much more sense to display looping thus:

allow if {
    # split the permission
    perm_parts := split(input.permission, ":")
    # parse the action
    action := perm_parts[2]
    # parse the resource
    resource := concat(":", array.slice(perm_parts,0,2))
    print("Query User:", input.user, "Resource:", resource, "Action:", action)
    # lookup the list of roles for the user
    roles := user_roles[input.user]
    # for each role in that list
    r := roles[_]
        print("Checking Role:", r)
        # lookup the permissions list for role r
        permissions := role_permissions[r]
        # for each permission
        p := permissions[_]
            # check if the permission granted to r matches the user's request
            print("Evaluating:", p)
            bits.and(to_number(glob.match(p.resource, [], resource)), to_number(glob.match(p.action, [], action)))
}

There is some pythonesq stuff going on, and as I'm very new, I find the single indent very difficult to navigate. This is only a short example, adapted from the RBAC examplar but my example reads a lot clearer than the linted version.

Regards Ashley

anderseknert commented 4 months ago

The Rego Playground is set up to run all of the Regal linter rules by default, but that's just a default set for the purpose of the playground. There is no requirement to agree with all of the rules :) If you download Regal yourself, you can easily disable any rule you disagree with, like the opa-fmt rule. Here's an example of a Regal configuration file to disable the formatter rule:

.regal/config.yaml

rules:
  style:
    opa-fmt:
      level: ignore
stale[bot] commented 3 months ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.