mirror of
https://github.com/minio/minio.git
synced 2024-12-24 22:25:54 -05:00
Fix OPA result response handling (#7763)
Also update the document with updated rego policy and updated OPA agent REST API. This PR is to fix a regression caused by PR #7637
This commit is contained in:
parent
91ceae23d0
commit
002a205c9c
@ -1,7 +1,7 @@
|
||||
version: '2'
|
||||
services:
|
||||
opa:
|
||||
image: openpolicyagent/opa:0.9.1
|
||||
image: openpolicyagent/opa:0.11.0
|
||||
ports:
|
||||
- 8181:8181
|
||||
command:
|
||||
|
@ -15,7 +15,7 @@ cat >docker-compose.yml <<EOF
|
||||
version: '2'
|
||||
services:
|
||||
opa:
|
||||
image: openpolicyagent/opa:0.9.1
|
||||
image: openpolicyagent/opa:0.11.0
|
||||
ports:
|
||||
- 8181:8181
|
||||
command:
|
||||
@ -45,11 +45,12 @@ package httpapi.authz
|
||||
|
||||
import input as http_api
|
||||
|
||||
allow {
|
||||
input.action = "s3:PutObject"
|
||||
input.owner = false
|
||||
}
|
||||
default allow = false
|
||||
|
||||
allow = true {
|
||||
http_api.action = "s3:PutObject"
|
||||
http_api.owner = false
|
||||
}
|
||||
EOF
|
||||
```
|
||||
|
||||
@ -62,7 +63,7 @@ curl -X PUT --data-binary @putobject.rego \
|
||||
### 4. Setup MinIO with OPA
|
||||
MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry.
|
||||
```
|
||||
export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
|
||||
export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
|
||||
minio server /mnt/data
|
||||
```
|
||||
|
||||
|
@ -2,7 +2,9 @@ package httpapi.authz
|
||||
|
||||
import input as http_api
|
||||
|
||||
allow {
|
||||
input.action = "s3:PutObject"
|
||||
input.owner = false
|
||||
default allow = false
|
||||
|
||||
allow = true {
|
||||
http_api.action = "s3:PutObject"
|
||||
http_api.owner = false
|
||||
}
|
||||
|
@ -20,6 +20,7 @@ import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"io"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
|
||||
@ -121,14 +122,36 @@ func (o *Opa) IsAllowed(args Args) bool {
|
||||
}
|
||||
defer o.args.CloseRespFn(resp.Body)
|
||||
|
||||
// Handle OPA response
|
||||
type opaResponse struct {
|
||||
Allow bool `json:"allow"`
|
||||
}
|
||||
var result opaResponse
|
||||
if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
|
||||
// Read the body to be saved later.
|
||||
opaRespBytes, err := ioutil.ReadAll(resp.Body)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
return result.Allow
|
||||
// Handle large OPA responses when OPA URL is of
|
||||
// form http://localhost:8181/v1/data/httpapi/authz
|
||||
type opaResultAllow struct {
|
||||
Result struct {
|
||||
Allow bool `json:"allow"`
|
||||
} `json:"result"`
|
||||
}
|
||||
|
||||
// Handle simpler OPA responses when OPA URL is of
|
||||
// form http://localhost:8181/v1/data/httpapi/authz/allow
|
||||
type opaResult struct {
|
||||
Result bool `json:"result"`
|
||||
}
|
||||
|
||||
respBody := bytes.NewReader(opaRespBytes)
|
||||
|
||||
var result opaResult
|
||||
if err = json.NewDecoder(respBody).Decode(&result); err != nil {
|
||||
respBody.Seek(0, 0)
|
||||
var resultAllow opaResultAllow
|
||||
if err = json.NewDecoder(respBody).Decode(&resultAllow); err != nil {
|
||||
return false
|
||||
}
|
||||
return resultAllow.Result.Allow
|
||||
}
|
||||
return result.Result
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user