Open Policy Agent
Rego graph.reachable not printing leaf nodes #661
-
|
I'm not totally certain if this is a bug or "working as designed". I'm having a lot of trouble getting The problem seems to be that results with just However I can't find a way to get Trivial ExampleGoalI want to evaluate the set of all permissions in a role Data{
"relations": {
"roles": {
"role:admin": {
"grants": ["permission:edit", "role:viewer"]
},
"role:viewer": {
"organizations": "organization:acme",
"grants": ["permission:view", "role:other"]
}
}
}
}Policypackage foo
# In the real world examples I have many similar rules for: inherits_from[] contains if
inherits_from[role_id] contains other if {
some role_id, role_details in data.relations.roles
some other in role_details.grants
}
effective_permissions = graph.reachable(inherits_from, {"role:admin"})Actual result{
"effective_subjects": [
"role:admin",
"role:viewer"
],
"inherits_from": {
"role:admin": [
"permission:edit",
"role:viewer"
],
"role:viewer": [
"permission:view",
"role:other"
]
}
}Desired result "effective_subjects": [
"role:admin",
"role:viewer",
"permission:edit",
"permission:view"
], ... |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
|
Hey, thanks for the clear question. This is a good one. Graphs passed to graph.reachable need to be a list of all nodes and the other nodes they have edges to. This list of edges might be an empty list. I would set it up more like this: package foo
# nodes is a set of unique roles and grant names
nodes contains node if {
some role, role_data in data.relations.roles
grant_names := {n | some n in role_data.grants}
# a node is both the role itself and all the grant names
some node in (grant_names | {role})
}
inherits_from_graph[node] := edges if {
some node in nodes
edges := {e | some e in data.relations.roles[node].grants}
}
effective_permissions := graph.reachable(inherits_from_graph, {"role:admin"})I think the desired output is: Since, |
Beta Was this translation helpful? Give feedback.
-
|
Sadly that won't work because it's swapped a However I can see the approach is sound if we add two layers of indirection... # In the real world examples I have many similar rules for: inherits_from[] contains if
inherits_from[role_id] contains other if {
some role_id, role_details in data.relations.roles
some other in role_details.grants
}
inherits_from_all_nodes contains node if {
some key, references in inherits_from
node in {{key} | references}
}
inherits_from_graph[node] := edges if {
some node in nodes
edges := {e | some e in data.relations.roles[node].grants}
}
effective_permissions := graph.reachable(inherits_from_graph, {"role:admin"})This would be much easier if |
Beta Was this translation helpful? Give feedback.
-
|
... I'll also add that I don't know what this does to performance. I'm unclear on whether OPA constructs partial objects if it doesn't need the whole object. Strictly speaking about logic, the I'm not sure if OPA actually makes that optimisation. |
Beta Was this translation helpful? Give feedback.
-
|
I think if you have a lot of work to re-organize your data into a suitable graph structure for OPA, it'd be best to have that work done when building the data bundle rather than in each OPA instance. |
Beta Was this translation helpful? Give feedback.
-
|
From a purely ideological standpoint, I'd have to push back on that idea. That cuts against the separation of concerns. Rego & policy syntax are for defining the the policy rules: if this and that then "yes" otherwise "no". Data connectors are for supplying data about the real world from supporting systems. It's not the job of supporting systems nor data-connectors to go defining the policy rules. The mapping of relations to graph links is unmistakably a policy decision. Indeed my whole reason for assessing OPA is to avoid what some of the "Zanzibar inspired" systems keep trying to do which is to apply policy without a rules engine. (Google themselves didn't do Zanzibar without a rules engine That's not to say I disagree with data-connectors optimising the data; but it's one step to far to ask data-connectors to pre-calculate full graphs which are themselves a core part of the permissions rule. If the permissions rule changes, I shouldn't generally need to go changing the data-connector unless it's failing to supply information I need. |
Beta Was this translation helpful? Give feedback.
-
|
I think that's fair enough, ideally additional processing would not be required. Speaking from experience however, graph datasets can get quite large and other users going down this path in the past have needed to do some pre-processing on the data loaded into OPA in order to meet their performance targets. It might be that with your data this is not an issue and so building the graph as part of the policy would be preferable. We can chat about this in the issue though. open-policy-agent/opa#7396 |
Beta Was this translation helpful? Give feedback.
Hey, thanks for the clear question. This is a good one.
Graphs passed to graph.reachable need to be a list of all nodes and the other nodes they have edges to. This list of edges might be an empty list.
I would set it up more like this: