Writing raw policies

Raw policies are policies that can evaluate arbitrary JSON documents. For more information about raw policies, please refer to the raw policies page.

Example

The following examples should look familiar if you completed the validation page of this tutorial.

note

Remember to mark the policy as raw by using the policyType field in the metadata.yml configuration. Please refer to the metadata specification for more information.

Validation

We are going to write a policy that accepts a request in the following format:

{
  "request": {
    "user": "alice",
    "action": "read",
    "resource": "products"
  }
}

and validates that only the admin user can delete resources.

Let's start by scaffolding a policy by using the OPA policy template.

First, we need to modify the policy.rego file to look like this:

package validation

deny[msg] {
    input.request.action == "delete"
    input.request.user != "admin"
    msg := sprintf("user %v is not allowed to delete resources", [input.request.user])
}

The utility/policy.rego module must be modified to remove Kubernetes-specific code:

package policy

import data.validation

main = {
	"response": response,
}

# OPA policy responses need the uid field to be set.
# If the request doesn't contain a uid, set it to an empty string.
default uid = ""

uid = input.request.uid

response = {
	"uid": uid,
	"allowed": false,
	"status": {"message": reason},
} {
	reason = concat(", ", validation.deny)
	reason != ""
} else = {
	"uid": uid,
	"allowed": true,
} {
	true
}