discovery: default decision not picked up #6697

srenatus · 2024-04-15T12:23:28Z

Our docs suggest that the discovery config can be used to provide a new default decision. Now, trying that, I've stumbled upon something confusing:

# disco/config.rego
package config
import rego.v1

discovery := {
  "default_decision": "acmecorp/httpauthz/allow"
}

build a bundle, use python to serve it:

opa build -o disco.tar.gz disco
python -m http.server

Start OPA with a discovery config:

# opa.yaml
services:
  - name: acmecorp
    url: http://127.0.0.1:8000
discovery:
  name: example
  resource: disco.tar.gz
  decision: config/discovery

Now the logs look completely fine:

% opa run -s -ldebug -c enterprise-opa.yml
{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server. OPA is running on a public (0.0.0.0) network interface. Unless you intend to expose OPA outside of the host, binding to the localhost interface (--addr localhost:8181) is recommended. See https://www.openpolicyagent.org/docs/latest/security/#interface-binding","time":"2024-04-15T14:19:51+02:00"}
{"level":"debug","msg":"maxprocs: Leaving GOMAXPROCS=16: CPU quota undefined","time":"2024-04-15T14:19:51+02:00"}
{"level":"debug","msg":"Download starting.","time":"2024-04-15T14:19:51+02:00"}
{"headers":{"Prefer":["modes=snapshot,delta"],"User-Agent":["Open Policy Agent/0.62.0-dev (darwin, amd64)"]},"level":"debug","method":"GET","msg":"Sending request.","time":"2024-04-15T14:19:51+02:00","url":"http://127.0.0.1:8000/disco.tar.gz"}
{"level":"debug","msg":"Server initialized.","time":"2024-04-15T14:19:51+02:00"}
{"headers":{"Content-Type":["application/json"],"User-Agent":["Open Policy Agent/0.62.0-dev (darwin, amd64)"]},"level":"debug","method":"POST","msg":"Sending request.","time":"2024-04-15T14:19:51+02:00","url":"https://telemetry.openpolicyagent.org/v1/version"}
{"headers":{"Content-Length":["250"],"Content-Type":["application/gzip"],"Date":["Mon, 15 Apr 2024 12:19:51 GMT"],"Last-Modified":["Mon, 15 Apr 2024 12:14:11 GMT"],"Server":["SimpleHTTP/0.6 Python/3.9.6"]},"level":"debug","method":"GET","msg":"Received response.","status":"200 OK","time":"2024-04-15T14:19:51+02:00","url":"http://127.0.0.1:8000/disco.tar.gz"}
{"level":"debug","msg":"Download in progress.","time":"2024-04-15T14:19:51+02:00"}
{"level":"info","msg":"Discovery update processed successfully.","plugin":"discovery","time":"2024-04-15T14:19:51+02:00"}
{"level":"debug","msg":"Waiting 1m0.023377439s before next download/retry.","time":"2024-04-15T14:19:51+02:00"}

Also, when I query the /v1/config API, it seems to be picked up just fine:

% curl -v http://127.0.0.1:8181/v1/config\?pretty  
{
  "result": {
    "default_authorization_decision": "/system/authz/allow",
    "default_decision": "acmecorp/httpauthz/allow",
    "discovery": {
      "decision": "config/discovery",
      "name": "example",
      "resource": "disco.tar.gz"
    },
    "labels": {
      "id": "b89e7617-79d6-4034-8b13-7c8c5edd7c1b",
      "version": "0.62.0-dev"
    }
  }
}

The surprise comes when querying this:

% curl -XPOST http://127.0.0.1:8181/ 
{
  "code": "undefined_document",
  "message": "document missing: data.system.main"
}

Am I just confused about something on this nice Monday, or is there something going on here? 💭

The text was updated successfully, but these errors were encountered:

ashutosh-narkar · 2024-04-24T00:00:15Z

Looks like when we update the manager with the discovered config we don't reset the default decision path on the server and hence the default (data.system.main) gets used.

This change attempts to keep the default decision path used by the server in sync with the one defined on the manager's config. Currently the server only updates the default decision path when it's initialized and when there is a commit on the store. The issue happens when the default decision path is updated via the discovered config. In this case, the manager's config is updated but there could be no store txn. Hence the updated value of default decision path is not taken into account by the server. Fixes: open-policy-agent#6697 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>

This change attempts to keep the default decision path used by the server in sync with the one defined on the manager's config. Currently the server only updates the default decision path when it's initialized and when there is a commit on the store. The issue happens when the default decision path is updated via the discovered config. In this case, the manager's config is updated but there could be no store txn. Hence the updated value of default decision path is not taken into account by the server. Fixes: #6697 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>

srenatus added the bug label Apr 15, 2024

ashutosh-narkar self-assigned this Apr 15, 2024

ashutosh-narkar mentioned this issue Apr 24, 2024

server: Keep default decision path in-sync with manager's config #6715

Merged

ashutosh-narkar closed this as completed in #6715 Apr 24, 2024

BrewTestBot mentioned this issue Apr 25, 2024

opa 0.64.0 Homebrew/homebrew-core#170097

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

discovery: default decision not picked up #6697

discovery: default decision not picked up #6697

srenatus commented Apr 15, 2024

ashutosh-narkar commented Apr 24, 2024

discovery: default decision not picked up #6697

discovery: default decision not picked up #6697

Comments

srenatus commented Apr 15, 2024

ashutosh-narkar commented Apr 24, 2024