API Authz token policy does not compile
samdyzon opened this issue · comments
Hi, I've attempted to run the example policy in the api_authz example, but I get the following errors when launching the docker container:
opa_1 | error: compile error: 3 errors occurred:
opa_1 | /policy/api_authz_token.rego:7: rego_unsafe_var_error: var _ is unsafe
opa_1 | /policy/api_authz_token.rego:7: rego_unsafe_var_error: var payload is unsafe
opa_1 | /policy/api_authz_token.rego:7: rego_unsafe_var_error: var _ is unsafe
Line 7 indicates this is an issue with the results from the io.jwt.decode
call. I cannot find any documentation regarding unsafe variables and how to avoid this issue. Is there any further information I could use to solve this issue?
@samdyzon Can you link to the example you are running ?
unsafe
means OPA can't assign a value to that variable in the rule body.
Here is a link to the Rego Language Reference.
Hey mate,
I'm just running the api_authz example from the OPA contrib repo. I'm running make up-token
without any modification and the container throws the errors shown in the initial message. The non-token example (make up
) works without issues.
I appreciate any assistance you can offer :)
Have you tried the HTTP API Authorization tutorial from the OPA website ? This is more up-to-date.
Yes, I have - the syntax in that tutorial is slightly different, but the result is the same - unsafe variables in the token decoding call.
I assume your docker compose file looks like below:
version: '2'
services:
opa:
image: openpolicyagent/opa:0.10.5
ports:
- 8181:8181
# WARNING: OPA is NOT running with an authorization policy configured. This
# means that clients can read and write policies in OPA. If you are
# deploying OPA in an insecure environment, be sure to configure
# authentication and authorization on the daemon. See the Security page for
# details: https://www.openpolicyagent.org/docs/security.html.
command:
- "run"
- "--server"
- "--log-level=debug"
api_server:
image: openpolicyagent/demo-restful-api:0.2
ports:
- 5000:5000
environment:
- OPA_ADDR=http://opa:8181
- POLICY_PATH=/v1/data/httpapi/authz
Nope, my docker-compose files were using an older version. I submitted a pull-request to fix this for others who might experience the same. Thanks for your help @ashutosh-narkar!