1

我刚开始使用 OPA,所以很有可能我做错了什么。

我有以下输入:

{
  "request": {
    "principalId": "user1",
    "scope": "/workspaces/1/environments/dev/deployments/123",
    "requiredPermissions": [
      "Deployments.ReadWrite",
      "Foo.Bar"
    ]
  }
}

我想确保用户拥有所有必需的权限。我已经有了所需的变量:

#// this is opa/rego value

"principal_roles_at_requested_scope": [
              "Deployments.Read",
              "Deployments.ReadWrite",
              "WorkspaceEnvironments.Read",
              "Workspaces.Read"
            ]

这应该设置allow为 false,因为Foo.Bar不在principal_roles_at_requested_scope集合中,但它被评估为true

allow {
    some i
    input.request.requiredPermissions[i] in principal_roles_at_requested_scope
}

另一方面,这有效,但不能明显使用:

allow {
    input.request.requiredPermissions[0] in principal_roles_at_requested_scope
    input.request.requiredPermissions[1] in principal_roles_at_requested_scope
}
4

1 回答 1

2

好的,

多亏了这个我已经弄清楚了。

就是这样解决的:

any_missing_permissions {
    some v in input.request.requiredPermissions
    not v in principal_roles_at_requested_scope
}

allow {
    #// Each permission required in the request has to be available
    #// at the requested scope
    not any_missing_permissions
}
于 2022-01-21T21:58:57.437 回答