Fix OPA result response handling (#7763)

Also update the document with updated rego policy
and updated OPA agent REST API.

This PR is to fix a regression caused by PR #7637
master
Harshavardhana 6 years ago committed by kannappanr
parent 91ceae23d0
commit 002a205c9c
  1. 2
      docs/sts/docker-compose.yml
  2. 13
      docs/sts/opa.md
  3. 8
      docs/sts/putobject.rego
  4. 37
      pkg/iam/policy/opa.go

@ -1,7 +1,7 @@
version: '2'
services:
opa:
image: openpolicyagent/opa:0.9.1
image: openpolicyagent/opa:0.11.0
ports:
- 8181:8181
command:

@ -15,7 +15,7 @@ cat >docker-compose.yml <<EOF
version: '2'
services:
opa:
image: openpolicyagent/opa:0.9.1
image: openpolicyagent/opa:0.11.0
ports:
- 8181:8181
command:
@ -45,11 +45,12 @@ package httpapi.authz
import input as http_api
allow {
input.action = "s3:PutObject"
input.owner = false
}
default allow = false
allow = true {
http_api.action = "s3:PutObject"
http_api.owner = false
}
EOF
```
@ -62,7 +63,7 @@ curl -X PUT --data-binary @putobject.rego \
### 4. Setup MinIO with OPA
MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry.
```
export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz
export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
minio server /mnt/data
```

@ -2,7 +2,9 @@ package httpapi.authz
import input as http_api
allow {
input.action = "s3:PutObject"
input.owner = false
default allow = false
allow = true {
http_api.action = "s3:PutObject"
http_api.owner = false
}

@ -20,6 +20,7 @@ import (
"bytes"
"encoding/json"
"io"
"io/ioutil"
"net/http"
"os"
@ -121,14 +122,36 @@ func (o *Opa) IsAllowed(args Args) bool {
}
defer o.args.CloseRespFn(resp.Body)
// Handle OPA response
type opaResponse struct {
Allow bool `json:"allow"`
}
var result opaResponse
if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
// Read the body to be saved later.
opaRespBytes, err := ioutil.ReadAll(resp.Body)
if err != nil {
return false
}
return result.Allow
// Handle large OPA responses when OPA URL is of
// form http://localhost:8181/v1/data/httpapi/authz
type opaResultAllow struct {
Result struct {
Allow bool `json:"allow"`
} `json:"result"`
}
// Handle simpler OPA responses when OPA URL is of
// form http://localhost:8181/v1/data/httpapi/authz/allow
type opaResult struct {
Result bool `json:"result"`
}
respBody := bytes.NewReader(opaRespBytes)
var result opaResult
if err = json.NewDecoder(respBody).Decode(&result); err != nil {
respBody.Seek(0, 0)
var resultAllow opaResultAllow
if err = json.NewDecoder(respBody).Decode(&resultAllow); err != nil {
return false
}
return resultAllow.Result.Allow
}
return result.Result
}

Loading…
Cancel
Save