Closed fhennig closed 1 month ago
fhennig
commented
4 months ago My suggestion on how to do this:
Have a ready-to-go (or slightly templated) .rego file that the operator has, and if the userInfo bit is configured, the .rego file gets added to all the bundles. Maybe we can do this, by having the operator deploy a ConfigMap that the bundle=true annotation and the rules inside of the ConfigMap?
maltesander
commented
4 months ago In the trino tests we have the UIF call here https://github.com/stackabletech/trino-operator/blob/0a1545ff371190b8d237f994bba4266fc962f774/tests/templates/kuttl/opa-authorization/trino_policies.rego#L291 and wrap it into extra_groups in the the permissions here https://github.com/stackabletech/trino-operator/blob/0a1545ff371190b8d237f994bba4266fc962f774/tests/templates/kuttl/opa-authorization/trino_rules/actual_permissions.rego#L43.
We could extract that into its own rego (util) file and be imported by other policies?
NickLarsenNZ
commented
4 months ago I would suggest it being a specific rego file, rather than a generic util file, because:
Some suggestions on what the end-user rego imports could look like:
import utils.uif
import utils.authorization
import stackable.uif
import stackable.authorizationEdit: https://github.com/stackabletech/opa-operator/pull/580 goes with package stackable.opa.userinfo.v1 which resolves this comment nicely.
lfrancke
commented
1 month ago lfrancke
commented
2 days ago Is this a user visible thing? Do we have docs and should it go into the release notes?
As a user of the UIF I would like to simply use RegoRules to use the UIF, instead of having to do the HTTP calls myself.
The rules and how to use them need to be documented and a decision needs to be created.