180 questions
0
votes
0
answers
47
views
Issues with OPA/Reg Policy Compilation to WASM
I'm working on a Rego/OPA policy, specifically for checking azure resources diagnostic settings compliant based on specified parameters. However, I'm having several issues when trying to compile my ...
- 669
0
votes
0
answers
54
views
opa ast library unable to unmarshal my json ast
Iam trying to unMarshal AST json to ast.Module structure of OPA.
policy.rego:
package example.authz
import rego.v1
allow if {
some i
input.users[i].role == "admin"
}
use command ...
- 11
0
votes
1
answer
126
views
Do Rego policies compiled into WASM modules support `http.send`?
The OPA WASM documentation mentions that built-in functions like http.send are not natively supported by WASM.
However, I was able to successfully compile and evaluate WASM modules from Rego policies ...
- 1
0
votes
0
answers
58
views
How can I filter terraform modules down to only those that create controlled resources?
I'm trying to adapt the code in this answer to filter out certain resources exactly as desired over there.
The challenge I'm running into is that as-is that code example does not distinguish between a ...
- 2,267
0
votes
1
answer
64
views
Rego graph.reachable not printing leaf nodes
I'm trying to get a simple expansion of some relations using Rego's graph.reachable. For some reason this isn't printing leaf nodes and I've not yet figured out why.
inherits_from[role_id] contains ...
- 15.2k
1
vote
2
answers
484
views
How to build OPA Rules from JSON
Is there some program or feature that can turn a JSON object into a policy.rego file?
I am aware there is currently a feature to turn a rego file into a JSON, but have not found anything to reverse ...
- 15
1
vote
0
answers
101
views
Writing an OPA Policy that enforces tagging, but only for AWS resources that allow tagging
In the project I'm working on, we're getting OPA failures because our policy checks for tags on resources, but some resources do not allow tags, such as SNS.
Is it possible to write a policy that can ...
- 59
0
votes
0
answers
23
views
How to write rego rule that accounts for missing block
i'm writing a CircleCi config policy (which is rego based).
The goal of this policy is to ensure that ANY pipeline-job (i.e. ignore other-jobs) must require other-job1. It other words, it should be ...
- 519
2
votes
0
answers
73
views
Translating a Rego policy to AWS Cedar
I have the following dummy Rego policy
is_permitted if {
owner := dataowner.resources[input.resource][input.resource_id].owner
permitted_members := data.owners[owner].permissions[input....
- 539
0
votes
1
answer
87
views
rego language multiple rules in same violation
These are rules that are part of a
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
Can you help me understand why this works (preventing the creation of deployments out of the limits):...
- 119
0
votes
1
answer
497
views
How can I return a single value in rego function?
I have the following rego:
retry_count_key := "retry"
get_retries_count(str) := {x |
some i
parts := split(str[i], ":")
parts[0] == retry_count_key
x := to_number(...
- 357
1
vote
1
answer
247
views
syntex error with OPA rego file for authentication
I am writing very simple rego file but it is showing syntex error. Can anyone suggest what am I doing wrong?
package example.accesscontrol
# Define the allowed UPNs
allowed_upns = {"[email protected]&...
1
vote
1
answer
126
views
OPA/REGO Using AND condition to combine two arrays of Boolean values
I whish to combine two arrays of Boolean value using AND.
For example: a1 := [true, true, false], a2 := [false, true, false].
the resulting AND operation:
a3 = a1 AND a2 would be [false, true, false]
- 156
1
vote
1
answer
221
views
How to prevent http.send if subsequent allow's are true?
I am trying to use OPA as authorization service for Trino. I wrote a rego file according to my needs.
package mytrino
import rego.v1
default allow := false
allow if {
input.action.operation == &...
- 55
0
votes
1
answer
790
views
Nested if or some kind of nested condition in OPA rule engine
I am new to OPA rule engine and have tried a few things out, I am unable to write a nested if in opa rule engine like
output := someValue if {
someValue := someOtherValue if {
}
}
I know ...
- 21
0
votes
0
answers
117
views
integrating OPA having external data calls with envoy
I am trying to integrate OPA with Envoy for authorization purposes. It works successfully with OPA without any external data calls, but I need to bundle my auth.rego file with a data.json file to ...
1
vote
1
answer
251
views
Rego object comprehension seems incomprehensible to me; lowercase the keys
In rego, I want to convert this:
d := {"a": "aye", "B": "bEe"}
to:
l := {"a": "aye", "b": "bEe"}
where the keys are ...
- 7,617
2
votes
2
answers
1k
views
How do I integrate envoy as a gateway, auth0 as an authentication system and OPA as an authorization system?
I'm working on a server configuration with:
envoy proxy as a gateway, with a simple python web server behind it to serve web pages and API calls.
Auth0 to authenticate my users.
OPA as the ...
- 1,561
0
votes
1
answer
76
views
What would be the opa policy for accessung a special path?
I am new to OPA and have tried a lot to get this result:
I want OPA to only allow access to /index. I am working on minikube with docker installed and I have a mciroservice as webserver. But the ...
- 11
1
vote
0
answers
77
views
Problems with opa configuration for own application
I am trying to use OPA as a Policy Engine in my test application. I have a node.js application running in minikube on macOS via Docker. The problem is, that since I installed OPA with quick_start.yaml ...
- 11
0
votes
1
answer
107
views
Tutorial from the OPA-Website for Istio is not working as it should
I followed all these steps here:
https://istio.io/latest/docs/setup/getting-started/
And then all steps for the Opa-Istio-Tutorial here:
https://www.openpolicyagent.org/docs/envoy/tutorial-istio
I don'...
- 11
0
votes
1
answer
759
views
Rego - Pass if value in set is in allowed_values set
I'm trying to have a policy pass if a value in input_set matches a value in allow_values
The below policy example is also here if you'd like to modify it easier - https://play.openpolicyagent.org/
I'm ...
0
votes
1
answer
785
views
OPA eval command
I am very new to OPA but testing something very simple. I would like to create a policy to ensure my s3 is not public.
my simple TF file:
terraform {
required_providers {
aws = {
source = ...
- 161
0
votes
1
answer
591
views
Wildcard in OPA policy definition
I am trying to write a policy for an endpoint that looks like
/xyz/v1.0/applicationVersions?applicationName=blah&default=true&pageSize=3&pageNumber=1
What is a wildcard/regex match I can ...
- 399
0
votes
1
answer
131
views
Generate dictionary with a string as a key and an array of strings as value
I have the following Rego policy:
package authz
import future.keywords.in
# The permissions the user has for each property
permissions[property_id][permission] {
some property_id, property_roles ...
- 5,279
0
votes
1
answer
145
views
Rego write a test for every entry with a condition has to have another condition
Example data:
{
"serviceA_primary": {
"foo": 1
"bar": 2
},
"serviceA_secondary": {
"foo": 1,
"bar&...
- 89
2
votes
1
answer
207
views
Conditions in a OPA policy function (Rego)
I have the following helper function in a test of my OPA policy. I would like to make it more generic and return the resource with the commonName field only if cn is not empty. Any ideas on how I can ...
- 163
1
vote
0
answers
263
views
How can I implement OPA for Frontend and Backend microservices?
I am looking to use the OPA policy based authorization in my project. I can use the bundle server to push my polices and data.json files to backend server and can evaluate policies for backend. I am ...
- 61
1
vote
1
answer
703
views
Hiding an object from output in Rego Policy
I created a Rego Policy but I would like to hide some of the objects from the output of the Rego.
Lets take this simple Rego as an example.
package cats
default cats := false
cats{
input.cat == ...
- 11
1
vote
1
answer
251
views
How to extract a portion of string if it exist in rego
I have the following response from an API and I need to get the resourceName if it consists the keywords -ecs-cloudwatch-policy. How can this be achieved in rego?
{
'resourceId': 'ABCDEF12345',
...
- 25
0
votes
2
answers
1k
views
Rego: how to merge objects set values
How can I merge the values of an object in rego (set type) into a single set containing all the object values ?
This is my input object :
input_data = {
"1": {
"bob": {"...
- 1
0
votes
1
answer
836
views
How can I loop over multiple values in OPA to validate
I have 'JSON' file something like below, now i want to validate is label cat is set or not?
"labels": {
"apple": "one",
"banana": "two",
"cat&...
- 51
1
vote
0
answers
275
views
Rego number of policies evaluated
I am trying to validate some policies using the /opa/rego package.
The policies are evaluated as expected in this script. But, I also want to count the number of rules and the rule names evaluated as ...
- 33
1
vote
1
answer
917
views
How to import policies from different files
This could potentially be a duplicate of this post but I'm still having real trouble.
I have a function defined in one file.
A.rego
package authorizer
default username := null
decode_user(jwt) := ...
0
votes
1
answer
288
views
OPA REGO deconstructing nested array
I got data something like this:
{
"TENANT1":{ <-- Multiple tenants
"SITE1":{ <-- Every tenant can have multiple sites
"SITE1_DEVICE1":[ <-- Every ...
- 74
0
votes
1
answer
238
views
Why execution stops and false is returned (Open Policy Agent, Rego)
I want to implement complex validation but I don't have enough knowledge.
This is how I imagine the rule to work in python:
input_data = {
"attributes": {
"request": {
...
- 3
1
vote
1
answer
632
views
Getting Error: undefined: rego.ReadFile while trying to read rego file
While I was trying to compile the code, getting below error. I have imported "github.com/open-policy-agent/opa/rego" but still getting the error.
-bash-4.2$ go build main.go
# command-line-...
- 547
1
vote
1
answer
365
views
How to create custom Azure Policy for k8s deployments?
I am looking into creating a custom Azure policy for AKS deployments. There is a bunch of built in policies available: https://learn.microsoft.com/en-us/azure/aks/policy-reference but I have not found ...
- 25
3
votes
1
answer
1k
views
In Rego, why is "every" never false?
According to the Open Policy Agent documentation, in Rego, every evaluates either to true or undefined. Why not true or false? What is it about Rego that suggests false is the wrong value? By ...
- 25.8k
0
votes
1
answer
959
views
Rego: merge arrays from different objects
In OPA, I take an input of type { roles, action, object }, and I return a matching permission which contains data regarding what the user is allowed to do based on the input
This is rather simple if ...
- 743
2
votes
2
answers
4k
views
OPA giving error "rego_parse_error: var cannot be used for rule name"
I have a simple rego file like this:
package example
default isApplicable := false
isApplicable if {
timeNow := time.now_ns()
timeNow >= input.startDatetime
}
and I keep getting parse ...
- 10.7k
0
votes
1
answer
1k
views
Caching in OPA where data is pulled from external source for eval
I have a pretty common use case where I would like to cache the results of a http.send for a given amount of time. I know I can do something like
value := http.send({
"url": "https:/...
- 399
0
votes
1
answer
296
views
Transform ["a=b","c=d","e=f"] to {"a":"b","c":"d","e":"f"} in rego
I have an array as defined below
["dev=devA",
"instance=instanceA",
"domain=domainA",
"namespace=namespaceA",
"...
0
votes
1
answer
790
views
Can OPA check all rules individually or these rules have to be combined into one parent rule to make a decision?
I'm trying to integrate OPA/open policy agent/ into gitlab ci-cd job, and evaluate it against terraform plan output.
I have independent rules in rego file and want to run each of them from package ...
- 33
1
vote
3
answers
926
views
How to ignore FAIL during conftest policy check in atlantis
I am still in the testing phase and would like to allow merging of my PR even if the policy_check is FAIlING. What flag I can pass to enable that ?
My current config:
repos:
- id: /.*/
...
- 31
1
vote
1
answer
842
views
How do I merge array of duplicated object with OPA Rego rule
I have written a OPA policy that creates the following output:
[
{
"permission": [
"module:get",
"workflow:get",
"...
- 11
0
votes
1
answer
474
views
Rego - how to mimic set generation using functions
I have a rule that I expect to be reused by a variety of modules. I figured, let's turn that into a function, have the modules pass their input into a function and use a set comprehension like ...
- 18.2k
2
votes
1
answer
1k
views
Rego - Combine Values of Case Sensitive Keys from json like abc, ABc to single lowercase key abc
I've below json as an input:
{
"data": {
"abc": 123,
"Abc": 345,
"bcd": 789
}
}
I want the result like:
{
"data": ...
0
votes
1
answer
2k
views
Is there a way in OPA to only evaluate policies relevant to certain request?
I'm experimenting with OPA and securing HTTP REST API. I want to implement ABAC authorization. My question is if it's possible to create rules in such a way that only those relevant to the request ...
- 35
0
votes
1
answer
2k
views
OPA rego policy - pattern matching using valid regex not working
I'm using OPA to write an access policy to a microservice, and I'm now tackling the problem of matching an URL containing a path param.
The URL follows the pattern: /v1/users/{uuid}
I came up with the ...
- 193