Fix OPA result response handling (#7763)

Also update the document with updated rego policy and updated OPA agent REST API. This PR is to fix a regression caused by PR #7637
2025-11-07 04:42:56 -05:00 · 2019-06-10 17:06:32 -07:00
parent 91ceae23d0
commit 002a205c9c
4 changed files with 43 additions and 17 deletions
--- a/docs/sts/docker-compose.yml
+++ b/docs/sts/docker-compose.yml
@@ -1,7 +1,7 @@
 version: '2'
 services:
  opa:
-    image: openpolicyagent/opa:0.9.1
+    image: openpolicyagent/opa:0.11.0
    ports:
      - 8181:8181
    command:
--- a/docs/sts/opa.md
+++ b/docs/sts/opa.md
@@ -15,7 +15,7 @@ cat >docker-compose.yml <<EOF
 version: '2'
 services:
  opa:
-    image: openpolicyagent/opa:0.9.1
+    image: openpolicyagent/opa:0.11.0
    ports:
      - 8181:8181
    command:
@@ -45,11 +45,12 @@ package httpapi.authz

 import input as http_api

-allow {
- input.action = "s3:PutObject"
- input.owner = false
-}
+default allow = false

+allow = true {
+ http_api.action = "s3:PutObject"
+ http_api.owner = false
+}
 EOF
 ```

@@ -62,7 +63,7 @@ curl -X PUT --data-binary @putobject.rego \
 ### 4. Setup MinIO with OPA
 MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry.
 ```
-export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
+export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
 minio server /mnt/data
 ```

--- a/docs/sts/putobject.rego
+++ b/docs/sts/putobject.rego
@@ -2,7 +2,9 @@ package httpapi.authz

 import input as http_api

-allow {
- input.action = "s3:PutObject"
- input.owner = false
+default allow = false
+
+allow = true {
+ http_api.action = "s3:PutObject"
+ http_api.owner = false
 }