You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
opa.runtime() (or other builtin functions) used in the policy
The resulting optimized policy can wind up missing critical rules entirely. This occurs because the optimizer attempts partial evaluation at bundle build time, which can have nonsensical results for some non-deterministic Rego builtins that query the environment. (http.send, opa.runtime, etc.)
Short example
An easy example of this is the following policy: test.rego:
package test
allow {
opa.runtime().env.MY_APP_ID == input.details.id
}
Steps to reproduce
opa build ./test/ -b -O=2 -e test/allow
Check bundle, and see the following:
bundle.tar.gz/optimized/test.rego:
package test
default allow =false
Expected behavior
The optimizer should not be attempting to partially evaluate non-deterministic builtin functions like opa.runtime. Adding that one builtin to the "unsafe for partial eval" list would be enough on its own for solving some immediate issues, but it's probably best just to remove all of them from partial eval for safety.
Workaround techniques
You can currently force the optimizer to leave the opa.runtime calls alone by wrapping them in constructs that are opaque to it, like aggregate comprehensions, and else rules. (Thanks @tsandall for figuring this out!)
Example of else rule wrapping:
package test
allow {
my_app_id == input.details.id
}
# HACK: The else rule here allows us to hide the opa.runtime call from partial eval in this policy.
my_app_id := x {
x := opa.runtime().env.MY_APP_ID
} else :=""
This commit removes the `IgnoreDuringPartialEval` list in
`ast/builtins`, and instead changes the partial evaluator to simply
ignore all non-deterministic builtins. This keeps true to the intent of
the original list, and reduces the potential for human error in
maintenance in the future.
Fixes: open-policy-agent#5171
Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
This commit removes the `IgnoreDuringPartialEval` list in
`ast/builtins`, and instead changes the partial evaluator to simply
ignore all non-deterministic builtins. This keeps true to the intent of
the original list, and reduces the potential for human error in
maintenance in the future.
Fixes: #5171
Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
Short description
When building a bundle with:
opa.runtime()
(or other builtin functions) used in the policyThe resulting optimized policy can wind up missing critical rules entirely. This occurs because the optimizer attempts partial evaluation at bundle build time, which can have nonsensical results for some non-deterministic Rego builtins that query the environment. (
http.send
,opa.runtime
, etc.)Short example
An easy example of this is the following policy:
test.rego
:Steps to reproduce
opa build ./test/ -b -O=2 -e test/allow
bundle.tar.gz/optimized/test.rego
:Expected behavior
The optimizer should not be attempting to partially evaluate non-deterministic builtin functions like
opa.runtime
. Adding that one builtin to the "unsafe for partial eval" list would be enough on its own for solving some immediate issues, but it's probably best just to remove all of them from partial eval for safety.Workaround techniques
You can currently force the optimizer to leave the
opa.runtime
calls alone by wrapping them in constructs that are opaque to it, like aggregate comprehensions, andelse
rules. (Thanks @tsandall for figuring this out!)Example of
else
rule wrapping:Additional context
The text was updated successfully, but these errors were encountered: