Issue-6559 Add ability to create decision labels within a policy #6681
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Thanks for the contribution @tsidebottom. FYI we've added some comments on #6559 about the proposed feature including the latest one here. It would be helpful to identify alternate ways of achieving what's needed for #6559. Thanks. |
Currently the `raise_error` flag is not honored during the input validation step. So `http.send` will return an error if input validation fails irrespective of the `raise_error` flag status. This change attempts to fix that. Also the description of the `raise_error` flag is updated to reflect actual behavior. Signed-off-by: Ashutosh Narkar <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
DecisionLabel will be populated by the Custom Built-in. Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Actual definition and code will go here. Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Added to the EvalContext Struct. Created a method to pull the DecisionLabel object in from the SDK (opa.go; that update is coming shortly). Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
This commit fixes a panic that could occur when `opa build` was provided an entrypoint from both a CLI flag, and via entrypoint metadata annotation. The fix is simple: deduplicate the slice of entrypoint refs that the compiler uses, before compiling WASM or Plan targets. Fixes: open-policy-agent#6661 Co-authored-by: Daniel Herzig <[email protected]> Signed-off-by: Philip Conrad <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
This time for v0QueryPath, v1DataGet, and v1DataPost. Signed-off-by: Teemu Koponen <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
https://go.dev/doc/devel/release#go1.22.2 Signed-off-by: Stephan Renatus <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
…-agent#6671) Bumps [golang.org/x/net](https://github.com/golang/net) from 0.22.0 to 0.23.0. - [Commits](golang/net@v0.22.0...v0.23.0) --- updated-dependencies: - dependency-name: golang.org/x/net dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Thomas Sidebottom <[email protected]>
…policy-agent#6673) Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.62.1 to 1.63.0. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.62.1...v1.63.0) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Thomas Sidebottom <[email protected]>
Bumps [github.com/prometheus/client_model](https://github.com/prometheus/client_model) from 0.5.0 to 0.6.1. - [Release notes](https://github.com/prometheus/client_model/releases) - [Commits](prometheus/client_model@v0.5.0...v0.6.1) --- updated-dependencies: - dependency-name: github.com/prometheus/client_model dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
In workflow runs like this: https://github.com/open-policy-agent/opa/actions/runs/7803493290/job/21283458848#step:3:317 We can see two problems. This commit is meant to address them. First, the test failed with this message: ``` expected unknown certificate authority error but got: Get "https://127.0.0.1:38699/v1/data": write tcp 127.0.0.1:52786->127.0.0.1:38699: write: connection reset by peer ``` Now this step in the test is retried like the other steps in the test since it can fail too. Second, the error `failed to reload TLS config` appears many times in the logs for that test. This issue is caused by the server attempting to read the new cert, key, and CA contents from disk while they are still being written to. This PR also introduces a 100ms pause between upto 5 attempts to reload the config for any given change to the state on disk. This should mean that the error is seen only when is is actually an issue and the reload has failed after a reasonable time. In most cases, running locally, the reload happens without error on the first run. Signed-off-by: Charlie Egan <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
…ty-printed" and/or line-prefixed JSON (open-policy-agent#6636) Fixes open-policy-agent#6630 Signed-off-by: Sean Williams <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
This reflects the reality -- we hadn't been sure why the dependabot update had not increased the stanza when it should have; but doing so now should unbreak the nightly tests. Signed-off-by: Stephan Renatus <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
…-agent#6680) Signed-off-by: Thomas Sidebottom <[email protected]>
Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.7.14 to 1.7.15. - [Release notes](https://github.com/containerd/containerd/releases) - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md) - [Commits](containerd/containerd@v1.7.14...v1.7.15) --- updated-dependencies: - dependency-name: github.com/containerd/containerd dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.63.0 to 1.63.2. - [Release notes](https://github.com/grpc/grpc-go/releases) - [Commits](grpc/grpc-go@v1.63.0...v1.63.2) --- updated-dependencies: - dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
Improving memory footprint and execution time of deps command for policies with high dependency connectivity. Fixes: open-policy-agent#6685 Signed-off-by: Johan Fylling <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: kunal.das <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
Adding a global `rego_version` attribute to bundle manifest, to inform OPA runtime about what rego-version (v0/v1) to use to parse/compile contained Rego files. The rego-version of individual Rego files can be overridden through the `file_rego_versions` manifest attribute. Implements: open-policy-agent#6578 Signed-off-by: Johan Fylling <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
…policy-agent#6689) Fixing issue where active parser options aren't propagated to module reload during bundle activation. Signed-off-by: Francisco Rodrigues <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Documenting bundle rego-version. Signed-off-by: Johan Fylling <[email protected]> Signed-off-by: Thomas Sidebottom <[email protected]>
The DecisionLabel is no longer a Field of the DecisionOptions Struct because the field will always be nil. It is now generated directly within the Decision() Function where it can be populated. Due to this, the scenario being tested is impossible. For coverage, the scenario being tested by TestDecisionLoggingWithDecisionLabel is formally covered by the tests which confirm the proper function of the DecisionLabelAdd Builtin Function. Signed-off-by: Thomas Sidebottom <[email protected]>
Signed-off-by: Thomas Sidebottom <[email protected]>
Using `goimports` to format the imports Signed-off-by: Thomas Sidebottom <[email protected]>
The DecisionLabelAdd Builtin was added to the capabilities.json file to allow it to be tracked. Signed-off-by: Thomas Sidebottom <[email protected]>
I missed this even after the GitHub Check told me to look here... Signed-off-by: Thomas Sidebottom <[email protected]>
I added it to the list, but I forgot to add the actual description of the Builtin. Using the Check Generated Job version. Signed-off-by: Thomas Sidebottom <[email protected]>
|
This pull request has been automatically marked as stale because it has not had any activity in the last 30 days. |
|
Closing this PR for now. We can continue the discussion in #6559. There are other approaches discussed in the issue on how to address this. In its current form this PR is unlikely to be merged and there's been no activity on it for a while so feel free to re-open in draft mode if needed with modifications. Thanks for your time and work on this! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why the changes in this PR are needed?
Adds a DecisionLabel Field (a Map Object) to the Decision Log output to track Policy Result Data.
What are the changes in this PR?
Notes to assist PR review:
Further comments:
Addresses #6559