Relax config check when Discovery is enabled #5722
Labels
Projects
Comments
|
Related: #5070 (not a duplicate, but if I'm reading things right, fixing this would likely fix that too, so adding here for tracking) |
|
PR #5314 already did some work on this and left it to the plugins what can be overridden (my assumption was that some things should just not be overridable but that might be wrong). It uses the same merge values method that is used by the command line‘s |
ashutosh-narkar
added
runtime
and removed
distribution
|
Since this is removed from planning and we are hit by this: Is there agreement on doing it as described?
The linked PR does no. 1 but is more specific, i.e some conditions would need to be removed. What is missing is essentially the delta tracking and publishing this via status API |
|
@mjungsbluth we've mostly seen this request come from Styra DAS users, however, since Styra DAS now supports the ability to override the discovery config (via the API) we decided to deprioritize the work in OPA. Here is a link to the Styra DAS docs that show how to override the discovery config: https://docs.styra.com/das/policies/policy-organization/systems/opa-discovery#add-or-override-a-value-in-discovery-configuration. |
|
@tsandall understood and I have seen that change which mitigates the problem for now. |
ashutosh-narkar
moved this from Planning - v0.59
to Planning - v0.60 (TBD)
in Open Policy Agent
ashutosh-narkar
moved this from Planning - v0.61
to Planning - v0.62(TBD)
in Open Policy Agent
ashutosh-narkar
moved this from Planning - v0.64(TBD)
to Planning - v0.63
in Open Policy Agent
ashutosh-narkar
added a commit
to ashutosh-narkar/opa
that referenced
this issue
Apr 18, 2024
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: open-policy-agent#5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ashutosh-narkar
added a commit
to ashutosh-narkar/opa
that referenced
this issue
Apr 22, 2024
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: open-policy-agent#5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ashutosh-narkar
added a commit
to ashutosh-narkar/opa
that referenced
this issue
Apr 23, 2024
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: open-policy-agent#5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
ashutosh-narkar
added a commit
that referenced
this issue
Apr 23, 2024
Previously if Discovery was enabled, other features like bundle downloading and status reporting could not be configured manually. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. It's possible that the system serving the discovered config is unaware of all options locally available in OPA. Hence, we relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configurations. In case of conflicts, the bootstrap configuration for plugins wins. These local configuration overrides from the bootstrap configuration are included in the Status API messages so that management systems can get visibility into the local overrides. **In general, the bootstrap configuration overrides the discovered configuration.** Previously this was not the case for all configuration fields. For example, if the discovered configuration changes the `labels` section, only labels that are additional compared to the bootstrap configuration are used, all other changes are ignored. This implies labels in the bootstrap configuration override those in the discovered configuration. But for fields such as `default_decision`, `default_authorization_decision`, `nd_builtin_cache`, the discovered configuration would override the bootstrap configuration. Now the behavior is more consistent for the entire configuration and helps to avoid accidental configuration errors. Fixes: #5722 Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently OPA does not allow users to supply plugin config when Discovery is enabled. The reason for this was to prevent OPAs being deployed that could not be controlled through discovery. In some cases though we've found that the user deploying OPA must be able to make local overrides even when discovery is in place, e.g., because the system serving the discovery config is unaware of all options available in OPA.
To address this we can relax the configuration check when discovery is enabled so that the bootstrap configuration can contain plugin configs. In case of conflicts, the bootstrap configuration for plugins should win. These local configuration overrides from the bootstrap configuration could be included in the Status API messages so that management systems can at least visibility into the local overrides.
For example, to enable console decision logging when an
opa-config.yamlrelies on discovery, the user would just need to:The text was updated successfully, but these errors were encountered: