Sty -OPA - Rego : Expressions

 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 

Single Value : There are  a number of design princples that we can put in place when we design Rego, But here are the top three.

  1. Syntax : In terms is Rego syntax we have designed it to mirror those real world polices that you find in PDFs , E-Mails,


 So the idea of Rego statement is that it is a simple IF Statements, Something are true if the other things are true . For example , allow this request if this user is actually alice

2. Semantics : The second design principle is more symantic. The idea here was the hierarchical data JSON/YAML and so on are pervasive so we wanted Rego to support that hierarchical data in a first class way and so

3. Algorithm : OPA coould automatically optimize performance so the policy can often focus on correctness and make retain able polices

Rego Overview

 

one you write those rules you organize those rules into policies. Policies here is just a set of Rules that have a hierarchical name.

Rego also supports a set .Set is just an unordered collection of distinguished  values 


Variables are mutable so do not assign them twice or you might end up having some kind of errors. Example you get a compile error. 

  • Arrays use the square brackets 
  • Sets use the curly brackets  
  • Object uses the curly bracket with key value pairs separated by a colon .

 There are couple of global variables that OPA takes care of .

  1. Input : When a service is asking OPA for policy decision , it will hand over some chunk of JSON. That chunk of data when you are writing policy you reference it via input. Input is a global variable storing the JSON object given to OPA.
  2. Data : Data is also a global variable, remember OPA can also be given arbitrary external data as long as that data is in JSON . So here whatever data is given to OPA can be reference using data keyword

Once you have a variable whether it is managed by OPA once you have a variable whether it is managed by OPA , input or data or you assigned your self then you need to be able to inspect internals those of those variables

In OPA like in many languages use [] to inspect objects , on the left we have a variable assigned to an object called "obj" and an array assigned to the variable "arr"  and set assigned to a variable "st"

For inspecting internals of an object we use Brackets so we use - obj[]  , in here in our case obj["users"]

is going to look up the field "user" with in obj variable which is going to Alice 

You can use variables with Brackets as well assign the variable "key" to the string "user "

key := "user" 
obj[key]      

The above condition is completely equivalent of  

obj["user"]

As you might expect we also use in Rego brackets to inspect the internals of arrays and by the way all arrays are 0 indexed so if you write 

arr[2] which is going to get 0, 1, 2 --2 in this case "banana" in the above slide

and again you can use variable in place 

index := 2
arr[index]

Most interestingly we use Brackets to inspect sets

Typically a set maps an element to a set .

And as you may expect Brackets call be applied repeatedly in this example

obj["path"][0]


Like in many languages Rego uses brackets to inspect objects unlike any other language you can use brackets for any composite objects

Rego Also supports Dot . Dots are only used with objects


Dot is simply shorthand for bracket so every time Rego sees x.y it internally translates into x["y"]

Dot can only be used only when key is alpha-numeric



 In such cases where the value is not found such as x and y in the above case which does have a value, The error is not thrown it says "undefined"

NOT turns undefined into True




Rule Evaluation






Comments

Post a Comment

Popular posts from this blog

Sty -OPA - Rego : What is OPA

Image
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++    +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   OPA is a general purpose policy engine . All these software that we see on the right at some point of time understands that it needs a policy decision.  So what it is does it cobles on whatever policy decision that it needs about as a policy query and hands that query over to OPA . And OPA makes the decision and returns into the service , it is the services responsibility to enforce that decision . It is OPA responsibility to make that decision. For example if that service was a kubernetes API server . Kubernetes will decide that some user is trying to create a new resource on it , POD or ingress lets say on the kubernetes cluster . Kubernetes would take that 100 or 500 line of code of JSON or YAMLthat describes the new resource the user trying to deploy on to the cluster and it will hand that entire JSON or YAML code to OPA - OPA
Read more

Sty -OPA - Rego : Comparing and Constructing Values

Image
 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++   +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  How to do some Equality Checks Equality Expressions : Array is above one , below is sets . Sets are sometimes surprising to people.     These two sets has got all the same element . The order in which they appear is Irrelevant and the number of times each of this appears is irrelevant.   There is another kind of Equality operator. The x in the first bracket , it finds x is not  the same as the one on the right and it assume x as variable and assigns the value 2 on the right to x on the left. Rego Build in Functions : Build in functions do a loads of comparisons and functions .
Read more

Sty -OPA - Rego : Basic Rego Rules

Image
 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++    ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++  Boolean Rules & Evaluation OPA Policy Authorization : Through out we will be using API policy evaluation . This is very simple use case and a common use case.  Boolean Rules : Remember that every rule is an IF statement . When you are going to write an IF statement you are going to assign a value . Multiple Rules : In all of those rules we were thinking of them in Isolation . But with OPA you can goahead and write multiple rule and if you do that you will end up with writing a logical OR. Even though you can write multiple . What happens when non of the Rules Succeed. Then the value of that rule is undefined. But in some cases you do not want the default "undefined" result and - if non of the rules succeed. default is_read = false This is achieved by defining the result as - false This says that non of the value s
Read more