我刚刚开始使用 OPA,所以很有可能我做错了什么。
我有以下输入:
{
"request": {
"principalId": "user1",
"scope": "/workspaces/1/environments/dev/deployments/123",
"requiredPermissions": [
"Deployments.ReadWrite",
"Foo.Bar"
]
}
}
我想确保用户拥有所有必需的权限。我已经有了所需的变量:
#// this is opa/rego value
"principal_roles_at_requested_scope": [
"Deployments.Read",
"Deployments.ReadWrite",
"WorkspaceEnvironments.Read",
"Workspaces.Read"
]
这应该将 allow 设置为 false,因为 Foo.Bar 不在 principal_roles_at_requested_scope 集中,但它会被评估为 正确:
allow {
some i
input.request.requiredPermissions[i] in principal_roles_at_requested_scope
}
另一方面,这可以工作,但显然不能使用:
allow {
input.request.requiredPermissions[0] in principal_roles_at_requested_scope
input.request.requiredPermissions[1] in principal_roles_at_requested_scope
}
最佳答案
好的,
感谢这个this我已经弄清楚了。
这就是解决的方法:
any_missing_permissions {
some v in input.request.requiredPermissions
not v in principal_roles_at_requested_scope
}
allow {
#// Each permission required in the request has to be available
#// at the requested scope
not any_missing_permissions
}
关于open-policy-agent - 即使比较结果为 false,OPA/rego 结果也为 true,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70807765/