当前位置: 文江博客话题详情

如何组合多个规则的结果

发布于 2025-01-18 15:58:08 字数 289 浏览 5 评论 0原文

我有3个角色,我正在尝试根据分配的角色返回用户可以做的操作。

游乐场: https://play.openpoly.openpolycyagent.org/p/5gn7obojxh

如果要处理的对象在列表中,则角色返回任何动作。

我是OPA和Rego的新手,当需要简单的比较之外,我发现它非常令人困惑。

原文

I have 3 roles and I am trying to return what actions a user can do based on the assigned roles.

Playground: https://play.openpolicyagent.org/p/5gN7ObojXh

The first part should check if the object being processed is in a list, and then if the role(s) return any actions.

I'm very new to OPA and Rego and I am finding it to be very confusing when anything more than simple comparisons are required.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

メ斷腸人バ 2025-01-25 15:58:08

OPA中的规则是完整部分。完整的规则是评估单个值的规则,因此,如果评估不同的,相互矛盾的价值 - 例如,布尔值“允许”规则不能既是true and false。

部分规则 return return return sets或objects或对象,并且是构建的,并且是通过以相同名称和将结果添加到每个规则的情况下, 规则产生的设置/对象。

Example policy using a partial rule to build a set might look something like this:

package policy

import future.keywords.in

deny["Username found in deny list"] {
    input.user.name in data.users.denylist
}

deny[msg] {
    not "read" in input.user.roles
    msg := sprintf("User %v missing role 'read'", [input.user.name])
}

deny["/admin endpoint requires 'admin' role"] {
    input.request.path[0] == "admin"
    not "admin" in input.user.roles
}

When evaluated with an input like the below:

{
  "input": {
    "user": {
      "name": "bob",
      "roles": ["developer"]
    },
    "request": {
      "path": ["admin", "users"]
    }
  }
}

The deny rule might evaluate to:

[
  "User bob missing role 'read'",
  "/admin endpoint requires 'admin' role"
]

The example policy you provided could be rewritten to use incremental rules, like this: https://play.openpolicyagent.org/p/MYFFAVqMCu

If you'd like to learn more, Styra Academy 是OPA文档的绝佳补充资源。

Rules in OPA are either complete or partial. Complete rules are those that evaluate to a single value, and as such will fail if evalutated to different, conflicting values — e.g. a boolean "allow" rule can't be both true and false.

Partial rules either return sets or objects, and are built incrementally by evaluating each rule with the same name and adding the result to the set/object produced by the rule.

Example policy using a partial rule to build a set might look something like this:

package policy

import future.keywords.in

deny["Username found in deny list"] {
    input.user.name in data.users.denylist
}

deny[msg] {
    not "read" in input.user.roles
    msg := sprintf("User %v missing role 'read'", [input.user.name])
}

deny["/admin endpoint requires 'admin' role"] {
    input.request.path[0] == "admin"
    not "admin" in input.user.roles
}

When evaluated with an input like the below:

{
  "input": {
    "user": {
      "name": "bob",
      "roles": ["developer"]
    },
    "request": {
      "path": ["admin", "users"]
    }
  }
}

The deny rule might evaluate to:

[
  "User bob missing role 'read'",
  "/admin endpoint requires 'admin' role"
]

The example policy you provided could be rewritten to use incremental rules, like this: https://play.openpolicyagent.org/p/MYFFAVqMCu

If you'd like to learn more, the Styra Academy is a great complementary resource to the OPA docs.

回复 原文
~没有更多了~

关于作者

飘落散花

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文