Sarageorge
Reputation: 119
OPA conflicting policy
I have written a sample rego code
default allow = false
allow {
some username
input.method = "GET"
input.path =["example", username]
input.user = username
}
allow {
some username
input.method = "GET"
input.path = ["example", username]
input.user != username
}
When I try to validate the policy using http://localhost:8181/v1/data/http/authz/allow API with Parameters
{
"input": {
"method": "GET",
"path": ["example", "sara"],
"user": "sara"
}
}
and
{
"input": {
"method": "GET",
"path": ["example", "sara"],
"user": "notsara"
}
}
I get the response : {"decision_id":"xxxxx","result":true}
Is this the expected result? Shouldn't there be an error if conflicting policies exist?
Upvotes: 0
Views: 1899
Answers (1)
Leonardo Dagnino
Reputation: 3215
When you have multiple definitions for a rule, you are expressing a logical OR. As such, they are not conflicting; they are both evaluated, and if any of the rules matches, your result is positive.
A rule conflict happens when you try defining the same rule as a partial rule and as a complete rule:
allow {
some username
input.user = username
}
allow[id] {
some username
input.user != username
}
1 error occurred: module.rego:3: rego_type_error: conflicting rules named allow found
(the example wasn't very nice and doesn't really make sense, but I guess it works as an example)
Upvotes: 1
Related Questions
- Using OR condition in OPA rego
- how to control/sanitise Open Policy Agent (OPA) response
- Is there a way in OPA to only evaluate policies relevant to certain request?
- OPA Rego - How to do tag or label matching
- OPA authorization policies with scopes and roles
- OPA/rego result is true even if a comparison evaluates to false
- OPA Rego issues counting
- Pass back a value from Open Policy Agent (OPA) query
- apply my policy(policy.rego) bydfault to my opa
- Limit OPA Rego to a single rule solution