Writing raw policies
Raw policies are policies that can evaluate arbitrary JSON documents. For more information about raw policies, please refer to the raw policies page.
Example
The following examples should look familiar if you completed the validation page of this tutorial.
Remember to mark the policy as |
Validation
You’re going to write a policy that accepts a request in the following format:
{
"request": {
"user": "alice",
"action": "read",
"resource": "products"
}
}
It validates that only the admin
user can delete resources.
Start by scaffolding a policy by using the OPA policy template.
First you need to change the policy.rego
file to look like this:
package validation
deny[msg] {
input.request.action == "delete"
input.request.user != "admin"
msg := sprintf("user %v is not allowed to delete resources", [input.request.user])
}
The utility/policy.rego
module needs modification to remove Kubernetes-specific code:
package policy
import data.validation
main = {
"response": response,
}
# OPA policy responses need the uid field to be set.
# If the request doesn't contain a uid, set it to an empty string.
default uid = ""
uid = input.request.uid
response = {
"uid": uid,
"allowed": false,
"status": {"message": reason},
} {
reason = concat(", ", validation.deny)
reason != ""
} else = {
"uid": uid,
"allowed": true,
} {
true
}