OPA/rego 即使比较结果为假,结果也为真
OPA/rego result is true even if a comparison evaluates to false
我刚开始用OPA,所以很有可能是我做错了什么。
我有以下输入:
{
"request": {
"principalId": "user1",
"scope": "/workspaces/1/environments/dev/deployments/123",
"requiredPermissions": [
"Deployments.ReadWrite",
"Foo.Bar"
]
}
}
我想确认一下,用户拥有所有必需的权限。我已经有了所需的变量:
#// this is opa/rego value
"principal_roles_at_requested_scope": [
"Deployments.Read",
"Deployments.ReadWrite",
"WorkspaceEnvironments.Read",
"Workspaces.Read"
]
这应该将 allow
设置为 false,因为 Foo.Bar
不在 principal_roles_at_requested_scope
集合中,但它被评估为 true
:
allow {
some i
input.request.requiredPermissions[i] in principal_roles_at_requested_scope
}
另一方面这行得通,但显然不能使用:
allow {
input.request.requiredPermissions[0] in principal_roles_at_requested_scope
input.request.requiredPermissions[1] in principal_roles_at_requested_scope
}
好的,
多亏了这个this我弄明白了。
就是这样解决的:
any_missing_permissions {
some v in input.request.requiredPermissions
not v in principal_roles_at_requested_scope
}
allow {
#// Each permission required in the request has to be available
#// at the requested scope
not any_missing_permissions
}
我刚开始用OPA,所以很有可能是我做错了什么。
我有以下输入:
{
"request": {
"principalId": "user1",
"scope": "/workspaces/1/environments/dev/deployments/123",
"requiredPermissions": [
"Deployments.ReadWrite",
"Foo.Bar"
]
}
}
我想确认一下,用户拥有所有必需的权限。我已经有了所需的变量:
#// this is opa/rego value
"principal_roles_at_requested_scope": [
"Deployments.Read",
"Deployments.ReadWrite",
"WorkspaceEnvironments.Read",
"Workspaces.Read"
]
这应该将 allow
设置为 false,因为 Foo.Bar
不在 principal_roles_at_requested_scope
集合中,但它被评估为 true
:
allow {
some i
input.request.requiredPermissions[i] in principal_roles_at_requested_scope
}
另一方面这行得通,但显然不能使用:
allow {
input.request.requiredPermissions[0] in principal_roles_at_requested_scope
input.request.requiredPermissions[1] in principal_roles_at_requested_scope
}
好的,
多亏了这个this我弄明白了。
就是这样解决的:
any_missing_permissions {
some v in input.request.requiredPermissions
not v in principal_roles_at_requested_scope
}
allow {
#// Each permission required in the request has to be available
#// at the requested scope
not any_missing_permissions
}