opaopen-policy-agentregoauthzforce

How to import different policies inside OPA rego policy?


I am working on writing new rego policies.

I have few rules defined in single policy file which I want to break into sub policy and import it.

Something like this:

A.rego

package com.example
import com.example.B.evaluate

default allow:= false
allow {
    evaluate
}

B.rego

package com.example

default evaluate:= false
evaluate {
    input.role != "admin" # some condition
}

How to achieve this policy configuration? It's like implementing policySet from authzforce having multiple sub-policies.

Thanks in advance! Please pardon my knowledge of OPA


Solution

  • When you bundle your policies they will all be combined into one large policy, so they will be segmented based on the package name, not the file name.

    some_name.rego

    package com.example.A
    
    import data.com.example.B.evaluate
    
    default allow := false
    allow {
        evaluate
    }
    

    another_name.rego

    package com.example.B
    
    default evaluate := false
    evaluate {
        input.role != "admin" # some condition
    }
    

    Also shown in our docs here, which I'll admit is a little light. So if there's anything we can add to make it more understandable just let me know!

    https://www.openpolicyagent.org/docs/latest/policy-language/#packages

    Cheers, @peteroneilljr OPA Advocate