oyd
/
minio
6
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fix OPA result response handling (#7763)

Browse Source 
Also update the document with updated rego policy
and updated OPA agent REST API.

This PR is to fix a regression caused by PR #7637
master
Harshavardhana 6 years ago committed by kannappanr
parent 91ceae23d0
commit 002a205c9c
4 changed files with 43 additions and 17 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 2
      docs/sts/docker-compose.yml
  2. 13
      docs/sts/opa.md
  3. 8
      docs/sts/putobject.rego
  4. 37
      pkg/iam/policy/opa.go

2
docs/sts/docker-compose.yml
Unescape View File

@ -1,7 +1,7 @@
version: '2' version: '2'
services: services:
opa: opa:
image: openpolicyagent/opa:0.9.1 image: openpolicyagent/opa:0.11.0
ports: ports:
- 8181:8181 - 8181:8181
command: command:

13
docs/sts/opa.md
Unescape View File

@ -15,7 +15,7 @@ cat >docker-compose.yml <<EOF
version: '2' version: '2'
services: services:
opa: opa:
image: openpolicyagent/opa:0.9.1 image: openpolicyagent/opa:0.11.0
ports: ports:
- 8181:8181 - 8181:8181
command: command:
@ -45,11 +45,12 @@ package httpapi.authz
import input as http_api import input as http_api
allow { default allow = false
input.action = "s3:PutObject"
input.owner = false
}
allow = true {
http_api.action = "s3:PutObject"
http_api.owner = false
}
EOF EOF
``` ```
@ -62,7 +63,7 @@ curl -X PUT --data-binary @putobject.rego \
### 4. Setup MinIO with OPA ### 4. Setup MinIO with OPA
MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry. MinIO server expects environment variable for OPA http API url as `MINIO_IAM_OPA_URL`, this environment variable takes a single entry.
``` ```
export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz export MINIO_IAM_OPA_URL=http://localhost:8181/v1/data/httpapi/authz/allow
minio server /mnt/data minio server /mnt/data
``` ```

8
docs/sts/putobject.rego
Unescape View File

@ -2,7 +2,9 @@ package httpapi.authz
import input as http_api import input as http_api
allow { default allow = false
input.action = "s3:PutObject"
input.owner = false allow = true {
http_api.action = "s3:PutObject"
http_api.owner = false
} }

37
pkg/iam/policy/opa.go
Unescape View File

@ -20,6 +20,7 @@ import (
"bytes" "bytes"
"encoding/json" "encoding/json"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"os" "os"
@ -121,14 +122,36 @@ func (o *Opa) IsAllowed(args Args) bool {
} }
defer o.args.CloseRespFn(resp.Body) defer o.args.CloseRespFn(resp.Body)
// Handle OPA response // Read the body to be saved later.
type opaResponse struct { opaRespBytes, err := ioutil.ReadAll(resp.Body)
Allow bool `json:"allow"` if err != nil {
}
var result opaResponse
if err = json.NewDecoder(resp.Body).Decode(&result); err != nil {
return false return false
} }
return result.Allow // Handle large OPA responses when OPA URL is of
// form http://localhost:8181/v1/data/httpapi/authz
type opaResultAllow struct {
Result struct {
Allow bool `json:"allow"`
} `json:"result"`
}
// Handle simpler OPA responses when OPA URL is of
// form http://localhost:8181/v1/data/httpapi/authz/allow
type opaResult struct {
Result bool `json:"result"`
}
respBody := bytes.NewReader(opaRespBytes)
var result opaResult
if err = json.NewDecoder(respBody).Decode(&result); err != nil {
respBody.Seek(0, 0)
var resultAllow opaResultAllow
if err = json.NewDecoder(respBody).Decode(&resultAllow); err != nil {
return false
}
return resultAllow.Result.Allow
}
return result.Result
} }

Write Preview
Loading…
Cancel
Save