Add support for dynamic metadata in OPA policies #479
Conversation
tjons
force-pushed
the
6209-dynamic-metadata
branch
from
9591afd to
4e7102a
Compare
|
The code looks good! We'll need some docs for that, though, or this fine feature might go unnoticed. Would you be up to raising a companion PR against the OPA docs? 😃 |
|
@srenatus yes, was going to ask about that. I'm adding some additional tests too to |
|
@srenatus see open-policy-agent/opa#6389 for docs PR. I don't think there's a lot of detail needed here but let me know if you think there should be more added. |
There was a problem hiding this comment.
The changes look good. I had just one small comment. Also having test coverage for the boolean policy decision scenario would be good. Then please squash your commits and we can get this in. Thanks @tjons!
envoyauth/response.go
Outdated
| switch decision := result.Decision.(type) { | ||
| case bool: | ||
| if decision { | ||
| return nil, fmt.Errorf("dynamic metadata undefined for simple 'allow'") |
There was a problem hiding this comment.
What about dynamic metadata undefined for simple 'allow' -> dynamic metadata undefined for boolean decision
tjons
force-pushed
the
6209-dynamic-metadata
branch
from
777fd1d to
a3e71fe
Compare
|
updated, squashed and pushed @ashutosh-narkar! looking forward to getting this in :) |
Signed-off-by: tjons <tyler.schade@solo.io>
tjons
force-pushed
the
6209-dynamic-metadata
branch
from
a3e71fe to
41f3797
Compare
|
@ashutosh-narkar done! |
This PR resolves open-policy-agent/opa#6209 by adding a special
dynamic_metadatakeyword to the OPA envoy plugin API. When an evaluated policy returns an object with thedynamic_metadatakeyword, it will be written to the DynamicMetadata field of the returned CheckResponse. This allows users to emit data from OPA policies that can be consumed elsewhere in the envoy filterchain to enable richer and more dynamic auth scenarios.