API Authz token policy does not compile

Question

API Authz token policy does not compile

samdyzon opened this issue 5 years ago · comments

Hi, I've attempted to run the example policy in the api_authz example, but I get the following errors when launching the docker container:

opa_1         | error: compile error: 3 errors occurred:
opa_1         | /policy/api_authz_token.rego:7: rego_unsafe_var_error: var _ is unsafe
opa_1         | /policy/api_authz_token.rego:7: rego_unsafe_var_error: var payload is unsafe
opa_1         | /policy/api_authz_token.rego:7: rego_unsafe_var_error: var _ is unsafe

Line 7 indicates this is an issue with the results from the io.jwt.decode call. I cannot find any documentation regarding unsafe variables and how to avoid this issue. Is there any further information I could use to solve this issue?

Ashutosh Narkar · Answer 1 · Thu Mar 07 2019 02:43:08 GMT+0800 (China Standard Time)

@samdyzon Can you link to the example you are running ?

unsafe means OPA can't assign a value to that variable in the rule body.

Here is a link to the Rego Language Reference.

samdyzon · Answer 2 · Thu Mar 07 2019 06:04:24 GMT+0800 (China Standard Time)

Hey mate,

I'm just running the api_authz example from the OPA contrib repo. I'm running make up-token without any modification and the container throws the errors shown in the initial message. The non-token example (make up) works without issues.

I appreciate any assistance you can offer :)

Ashutosh Narkar · Answer 3 · Thu Mar 07 2019 06:30:20 GMT+0800 (China Standard Time)

Have you tried the HTTP API Authorization tutorial from the OPA website ? This is more up-to-date.

samdyzon · Answer 4 · Thu Mar 07 2019 06:40:53 GMT+0800 (China Standard Time)

Yes, I have - the syntax in that tutorial is slightly different, but the result is the same - unsafe variables in the token decoding call.

Ashutosh Narkar · Answer 5 · Thu Mar 07 2019 06:43:52 GMT+0800 (China Standard Time)

I assume your docker compose file looks like below:

version: '2'
services:
  opa:
    image: openpolicyagent/opa:0.10.5
    ports:
      - 8181:8181
    # WARNING: OPA is NOT running with an authorization policy configured. This
    # means that clients can read and write policies in OPA. If you are
    # deploying OPA in an insecure environment, be sure to configure
    # authentication and authorization on the daemon. See the Security page for
    # details: https://www.openpolicyagent.org/docs/security.html.
    command:
      - "run"
      - "--server"
      - "--log-level=debug"
  api_server:
    image: openpolicyagent/demo-restful-api:0.2
    ports:
      - 5000:5000
    environment:
      - OPA_ADDR=http://opa:8181
      - POLICY_PATH=/v1/data/httpapi/authz

samdyzon · Answer 6 · Thu Mar 07 2019 06:52:59 GMT+0800 (China Standard Time)

Nope, my docker-compose files were using an older version. I submitted a pull-request to fix this for others who might experience the same. Thanks for your help @ashutosh-narkar!