New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
General refs/docs #6244
General refs/docs #6244
Conversation
docs/content/policy-language.md
Outdated
``` | ||
|
||
In the above example, rule `R2` overlaps with the dynamic portion of rule `R1`'s reference (`[x].r`), which is allowed at compile-time, as these rules aren't guaranteed to produce conflicting output. | ||
However, if `R1` defines `x` as `"q"` and `y` as, e.g. `0`, a conflict will be reported at evaluation-time. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we're saying the above rule will report a conflict at eval time, correct?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Correct 👌 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Deployment fails because the playground doesn't support the new syntax yet.
|
||
```json | ||
```live:general_ref_head:input |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
```rego | ||
```live:general_ref_head:module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
```live:general_ref_head:output |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
The first variable declared in a rule head's reference divides the reference in a leading constant portion and a trailing dynamic portion. Other rules are allowed to overlap with the dynamic portion (dynamic extent) without causing a compile-time conflict. | ||
|
||
```live:general_ref_head_conflict:module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
} | ||
} | ||
} | ||
```live:general_ref_head_conflict:output:expect_eval_error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
Error: | ||
|
||
```live:general_ref_head_conflict2:output:expect_rego_error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
Rules are not allowed to overlap with object values of other rules. | ||
|
||
```live:general_ref_head_conflict3:module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
Error: | ||
|
||
```live:general_ref_head_conflict3:output:expect_eval_error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In the above example, `R1` is within the dynamic extent of `R2` and a conflict cannot be detected at compile-time. However, at evaluation-time `R2` will attempt to inject a value under key `t` in an object value defined by `R1`. This is a conflict, as rules are not allowed to modify or replace values defined by other rules. | ||
We won't get a conflict if we update the policy to the following: | ||
|
||
```live:general_ref_head_conflict4:module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
As `R1` is now instead defining a value within the dynamic extent of `R2`'s reference, which is allowed: | ||
|
||
```live:general_ref_head_conflict4:output |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Fixes: open-policy-agent#5996 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
ac1ac4d
to
fa7ab5e
Compare
Fixes: #5996
Updating documentation with information about general refs in rule heads.
🚧⚠️ These changes are contingent on #6235 getting merged; and should not be merged before those changes.Note: we use live code blocks to demonstrate general ref rule heads, and these will be broken until the Rego Playground is updated to use the latest OPA version.
To build the docs, and view the live code blocks, build the playground with
main
-branch OPA and run it locally; then point the docs to that instance by updatingPLAYGROUND
indocs/website/scripts/live-blocks/src/constants.js
.