New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non-deduplication of sets #429
Comments
@timothyhinrichs do you have any other thoughts on this? I'm tempted to close for now as we this hasn't come up for quite a while and I'm not sure there is a good solution. |
At minimum we need to clearly document the behaviour. |
During evaluation, each partial set could record the elements found so far and fail when it encounters an element already in the set (perhaps with a better trace error message). Besides being more intuitive, this would also improve performance. Tracing will look different. |
…ld result in * This is an edge case where the duplicates would be the same length as the total projects in the system. For example, if you have a single custom project named project1 one and two policies that allow user bob on project1 for a specific resource and action, then V2ProjectsAuthorized would return ["project1", "project1"]. Since the total projects in the system would be ["(unassigned)", "project1"], ProjectsAuthorized would incorrectly equate the result of V2ProjectsAuthorized to * due to the fact that their lengths matched. This edge case would happen anytime NumberOfProjectsAllowingAProjectForASpecificResourceAndAction = NumberOfCustomProjects + 1 (for the unassigned project). V2ProjectsAuthorized has been updated to not return duplicates which was never the intended behavior. The duplicates were introduced in this change: c21ddbe Due to the introduction of using a partial document: c21ddbe#diff-2d317bb33ff7babca7e1290b0fb1dcf2R241 Which unfortunately contain duplicates: open-policy-agent/opa#429 Signed-off-by: Tyler Cloke <tylercloke@gmail.com>
…ld result in * This is an edge case where the duplicates would be the same length as the total projects in the system. For example, if you have a single custom project named project1 one and two policies that allow user bob on project1 for a specific resource and action, then V2ProjectsAuthorized would return ["project1", "project1"]. Since the total projects in the system would be ["(unassigned)", "project1"], ProjectsAuthorized would incorrectly equate the result of V2ProjectsAuthorized to * due to the fact that their lengths matched. This edge case would happen anytime NumberOfProjectsAllowingAProjectForASpecificResourceAndAction = NumberOfCustomProjects + 1 (for the unassigned project). V2ProjectsAuthorized has been updated to not return duplicates which was never the intended behavior. The duplicates were introduced in this change: c21ddbe Due to the introduction of using a partial document: c21ddbe#diff-2d317bb33ff7babca7e1290b0fb1dcf2R241 Which unfortunately contain duplicates: open-policy-agent/opa#429 Signed-off-by: Tyler Cloke <tylercloke@gmail.com>
…ld result in * This is an edge case where the duplicates would be the same length as the total projects in the system. For example, if you have a single custom project named project1 one and two policies that allow user bob on project1 for a specific resource and action, then V2ProjectsAuthorized would return ["project1", "project1"]. Since the total projects in the system would be ["(unassigned)", "project1"], ProjectsAuthorized would incorrectly equate the result of V2ProjectsAuthorized to * due to the fact that their lengths matched. This edge case would happen anytime NumberOfProjectsAllowingAProjectForASpecificResourceAndAction = NumberOfCustomProjects + 1 (for the unassigned project). V2ProjectsAuthorized has been updated to not return duplicates which was never the intended behavior. The duplicates were introduced in this change: c21ddbe Due to the introduction of using a partial document: c21ddbe#diff-2d317bb33ff7babca7e1290b0fb1dcf2R241 Which unfortunately contain duplicates: open-policy-agent/opa#429 Signed-off-by: Tyler Cloke <tylercloke@gmail.com>
…ld result in * (#1963) This is an edge case where the duplicates would be the same length as the total projects in the system. For example, if you have a single custom project named project1 one and two policies that allow user bob on project1 for a specific resource and action, then V2ProjectsAuthorized would return ["project1", "project1"]. Since the total projects in the system would be ["(unassigned)", "project1"], ProjectsAuthorized would incorrectly equate the result of V2ProjectsAuthorized to * due to the fact that their lengths matched. This edge case would happen anytime NumberOfProjectsAllowingAProjectForASpecificResourceAndAction = NumberOfCustomProjects + 1 (for the unassigned project). V2ProjectsAuthorized has been updated to not return duplicates which was never the intended behavior. The duplicates were introduced in this change: c21ddbe Due to the introduction of using a partial document: c21ddbe#diff-2d317bb33ff7babca7e1290b0fb1dcf2R241 Which unfortunately contain duplicates: open-policy-agent/opa#429 Signed-off-by: Tyler Cloke <tylercloke@gmail.com>
This commit fixes an old issue in the evaluator whereby duplicate keys could be returned when iterating over documents generated by partial rules. Specifically, because the code path to evaluate partial sets and partial objects differs when elements are accessed individually versus in aggregate (e.g., `p[x] = y` vs `p = q; q[x] = y`) callers could see different results in some cases. For example: ``` [[x,y] | p[x] = y] [[x, y] | p = q; q[x] = y] ``` In this case, query 1 and 2 could produce different results. For both partial sets and objects, the result may contain duplicate values. In addition, for partial objects, the first query may succeed, while the second query may generate a conflict error if the same key was mapped more than one value. The fix simply keeps track of the values that have been generated while evaluating the rules and performs deduplication/conflict checking just like in the aggregate case. When duplicates are encountered, the evaluator will emit Duplicate events to indicate that evaluation is not continuing. Fixes open-policy-agent#429 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
This commit fixes an old issue in the evaluator whereby duplicate keys could be returned when iterating over documents generated by partial rules. Specifically, because the code path to evaluate partial sets and partial objects differs when elements are accessed individually versus in aggregate (e.g., `p[x] = y` vs `p = q; q[x] = y`) callers could see different results in some cases. For example: ``` [[x,y] | p[x] = y] [[x, y] | p = q; q[x] = y] ``` In this case, query 1 and 2 could produce different results. For both partial sets and objects, the result may contain duplicate values. In addition, for partial objects, the first query may succeed, while the second query may generate a conflict error if the same key was mapped more than one value. The fix simply keeps track of the values that have been generated while evaluating the rules and performs deduplication/conflict checking just like in the aggregate case. When duplicates are encountered, the evaluator will emit Duplicate events to indicate that evaluation is not continuing. Fixes #429 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
When defining a set, we have two options: using a partial document or a set-comprehension. The two are logically equivalent without aggregation, but with aggregation you the two produce different results. The partial document only eliminates duplicates once you ask for the set as a whole at the end of the search; it leaves duplicates in tact during search. The result is that the same value can be included more than once in an aggregate. In contrast, the set-comprehension eliminates duplicates immediately.
The following two code snippets are identical (and are taken from the Terraform library).
Two options for addressing.
The text was updated successfully, but these errors were encountered: