Writing raw policies
Raw policies are policies that can evaluate arbitrary JSON documents. For more information about raw policies, please refer to the raw policies page.
Example
The following examples should look familiar if you completed the validation page of this tutorial.
Remember to mark the policy as |
Validation
You’re going to write a policy that accepts a request in the following format:
{
"request": {
"user": "alice",
"action": "read",
"resource": "products"
}
}
json
It validates that only the admin
user can delete resources.
Start by scaffolding a policy by using the OPA policy template.
First you need to change the policy.rego
file to look like this:
package validation deny[msg] { input.request.action == "delete" input.request.user != "admin" msg := sprintf("user %v is not allowed to delete resources", [input.request.user]) }
rego
The utility/policy.rego
module must needs modification to remove Kubernetes-specific code:
package policy import data.validation main = { "response": response, } // highlight-start # OPA policy responses need the uid field to be set. # If the request doesn't contain a uid, set it to an empty string. default uid = "" uid = input.request.uid // highlight-end response = { "uid": uid, "allowed": false, "status": {"message": reason}, } { reason = concat(", ", validation.deny) reason != "" } else = { "uid": uid, "allowed": true, } { true }
rego