Writing raw policies
Raw policies are policies that can evaluate arbitrary JSON documents. For more information about raw policies, please refer to the raw policies page.
Example​
The following examples should look familiar if you completed the validation page of this tutorial.
Remember to mark the policy as raw
,
by using the policyType
field in the metadata.yml
configuration.
Please refer to the
metadata
specification for more information.
Validation​
You're going to write a policy that accepts a request in the following format:
{
"request": {
"user": "alice",
"action": "read",
"resource": "products"
}
}
It validates that only the admin
user can delete resources.
Start by scaffolding a policy by using the OPA policy template.
First you need to change the policy.rego
file to look like this:
package validation
deny[msg] {
input.request.action == "delete"
input.request.user != "admin"
msg := sprintf("user %v is not allowed to delete resources", [input.request.user])
}
The utility/policy.rego
module must needs modification to remove Kubernetes-specific code:
package policy
import data.validation
main = {
"response": response,
}
# OPA policy responses need the uid field to be set.
# If the request doesn't contain a uid, set it to an empty string.
default uid = ""
uid = input.request.uid
response = {
"uid": uid,
"allowed": false,
"status": {"message": reason},
} {
reason = concat(", ", validation.deny)
reason != ""
} else = {
"uid": uid,
"allowed": true,
} {
true
}