search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.63k stars 1.34k forks source link

partial eval: Improve control over unknowns during partial evaluation #855

Open tsandall opened 6 years ago

tsandall commented 6 years ago

Today, only the caller is able to specify the unknowns to use during partial evaluation. If the list of unknowns is hard to predict or changes frequently over time, this can become an issue.

Similarly, tohttps://github.com/tsandallday, certain built-in functions (like time.now_ns) are ignored during partial eval. This works fine for optimization use cases however for translation use cases, callers should probably not have to deal with expressions unnecessarily.

The handle use cases like this, the policy author could define rules that would be evaluated before partial eval is run to determine the unknowns to use later. For example:

package example

# policy dealing with "foo" resources

# if request is for "foos" resources, then "data.foos" are considered unknowns
unknowns["data.foos"] {
  input.path = ["foos"]
}

allow {
  input.path = ["foos"]
  input.method = "GET"
  allowed[x]
}

allowed[foo] {
  data.foos[foo]
  foo.tenant = input.subject.tenant
}

# policy dealing with "bar" resources

unknowns["data.bars"] {
  input.path = ["bars"]
}

allow {
  input.path = ["bars"]
  input.method = "GET"
  allowed[x]
}

allowed[bar] {
  data.bars[bar]
  bar.tenant = input.subject.tenant
}

One downside of this approach is that we cannot reify terms in OPA today so the policy author would have to encode their refs as strings.

We could extend some control to the caller in this scenario. For example, the caller could specify the name of the document to query to obtain the unknowns.

tsandall commented 3 years ago

Another (perhaps better) option would be to allow callers to specify a set of known paths (perhaps in addition to paths defined by rules). Any reference to a path outside the set would be treated as unknown and trigger a save. In terms of implementation, we would have to review the places in the evaluator where the save set is checked and generalize it to support this alternative set.

tsandall commented 3 years ago

Adding this issue into the TODO backlog.

stale[bot] commented 2 years ago

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.