General refs/docs #6244
Merged
General refs/docs #6244
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
docs/content/policy-language.md
Outdated
| ``` | ||
|
|
||
| In the above example, rule `R2` overlaps with the dynamic portion of rule `R1`'s reference (`[x].r`), which is allowed at compile-time, as these rules aren't guaranteed to produce conflicting output. | ||
| However, if `R1` defines `x` as `"q"` and `y` as, e.g. `0`, a conflict will be reported at evaluation-time. |
There was a problem hiding this comment.
So we're saying the above rule will report a conflict at eval time, correct?
johanfylling
commented
Sep 27, 2023
|
|
||
| ```json | ||
| ```live:general_ref_head:input |
|
|
||
| ```rego | ||
| ```live:general_ref_head:module |
|
|
||
| ```live:general_ref_head:output |
|
|
||
| The first variable declared in a rule head's reference divides the reference in a leading constant portion and a trailing dynamic portion. Other rules are allowed to overlap with the dynamic portion (dynamic extent) without causing a compile-time conflict. | ||
|
|
||
| ```live:general_ref_head_conflict:module |
| } | ||
| } | ||
| } | ||
| ```live:general_ref_head_conflict:output:expect_eval_error |
|
|
||
| Error: | ||
|
|
||
| ```live:general_ref_head_conflict2:output:expect_rego_error |
|
|
||
| Rules are not allowed to overlap with object values of other rules. | ||
|
|
||
| ```live:general_ref_head_conflict3:module |
|
|
||
| Error: | ||
|
|
||
| ```live:general_ref_head_conflict3:output:expect_eval_error |
| In the above example, `R1` is within the dynamic extent of `R2` and a conflict cannot be detected at compile-time. However, at evaluation-time `R2` will attempt to inject a value under key `t` in an object value defined by `R1`. This is a conflict, as rules are not allowed to modify or replace values defined by other rules. | ||
| We won't get a conflict if we update the policy to the following: | ||
|
|
||
| ```live:general_ref_head_conflict4:module |
|
|
||
| As `R1` is now instead defining a value within the dynamic extent of `R2`'s reference, which is allowed: | ||
|
|
||
| ```live:general_ref_head_conflict4:output |
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Fixes: open-policy-agent#5996 Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
Signed-off-by: Johan Fylling <johan.dev@fylling.se>
ashutosh-narkar
force-pushed
the
general_refs/docs
branch
from
ac1ac4d
to
fa7ab5e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes: #5996
Updating documentation with information about general refs in rule heads.
🚧⚠️ These changes are contingent on #6235 getting merged; and should not be merged before those changes.Note: we use live code blocks to demonstrate general ref rule heads, and these will be broken until the Rego Playground is updated to use the latest OPA version.
To build the docs, and view the live code blocks, build the playground with
main-branch OPA and run it locally; then point the docs to that instance by updatingPLAYGROUNDindocs/website/scripts/live-blocks/src/constants.js.