Update docs and server binding addr per OPA v1.0 specs #7140
Conversation
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
685eef0 to
f660edd
Compare
Yes @anderseknert. We'll add a section for 0.x compatibility later in this PR. |
|
@ashutosh-narkar neat! If you can remember to, ping me when that's in and I'd be happy to review 😃 |
ashutosh-narkar
force-pushed
the
1.0-docs
branch
2 times, most recently
from
73c0bb2 to
7215e50
Compare
| if !addrSetByUser && !rt.Params.V0Compatible && rt.Params.V1Compatible { | ||
| rt.Params.Addrs = &[]string{defaultLocalAddr} | ||
| if !addrSetByUser && rt.Params.V0Compatible { | ||
| rt.Params.Addrs = &[]string{defaultAddr} |
There was a problem hiding this comment.
I wonder, should we really default to 0.0.0.0 if the --v0-compatible flag is set? This has security implications. If you can add --v0-compatible to your command, you can also add --addr ':8181'.
There was a problem hiding this comment.
This is existing behavior which the flag is supposed to maintain. We already have a section on the security implications of this in the docs and we also log a warning on the command line. So I don't see a reason to change this.
docs/content/policy-language.md
Outdated
| ``` | ||
| Name | Description | ||
| --- |---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ||
| Duplicate imports | Duplicate [imports](../policy-language/#imports), where one import shadows another, are prohibited. |
There was a problem hiding this comment.
We should drop this table entry, as this is part of the default v1 constraints.
We could keep it, with a comment, to let users know it's still relevant with --v0-compatible --strict. But maybe it's more clear if that's a separate table. And then it should probably also be put in the v0 migration guide, with just a link here.
There was a problem hiding this comment.
I've reworded this section to align with 1.0
docs/content/policy-language.md
Outdated
| Duplicate imports | Duplicate [imports](../policy-language/#imports), where one import shadows another, are prohibited. | ||
| Unused local assignments | Unused arguments or [assignments](../policy-reference/#assignment-and-equality) local to a rule, function or comprehension are prohibited | ||
| Unused imports | Unused [imports](../policy-language/#imports) are prohibited. | ||
| `input` and `data` reserved keywords | `input` and `data` are reserved keywords, and may not be used as names for rules and variable assignment. |
docs/content/policy-language.md
Outdated
| Unused local assignments | Unused arguments or [assignments](../policy-reference/#assignment-and-equality) local to a rule, function or comprehension are prohibited | ||
| Unused imports | Unused [imports](../policy-language/#imports) are prohibited. | ||
| `input` and `data` reserved keywords | `input` and `data` are reserved keywords, and may not be used as names for rules and variable assignment. | ||
| Use of deprecated built-ins | Use of deprecated functions is prohibited, and these will be removed in OPA 1.0. Deprecated built-in functions: `any`, `all`, `re_match`, `net.cidr_overlap`, `set_diff`, `cast_array`, `cast_set`, `cast_string`, `cast_boolean`, `cast_null`, `cast_object` |
docs/content/v0-compatibility.md
Outdated
| `--rego-v1` flag below. | ||
| - `inspect`: supports Rego v0 syntax modules, use of `import rego.v1` is optional. | ||
| - `parse`: supports Rego v0 syntax modules, use of `import rego.v1` is optional. | ||
| - `run`: supports modules (including discovery bundle) using Rego v0 syntax, use of `import rego.v1` is optional. Binds server listeners to all interfaces by default, rather than localhost. |
There was a problem hiding this comment.
Not sure if we should really bind to all interfaces with the --v0-compatible flag ..
If you can add --v0-compatible to your command, then surely you can add the flag to set an external listener too.
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
c72434b to
6f8aa58
Compare
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
8d41fd1 to
aaacc6c
Compare
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
77a3db8 to
e31b7d3
Compare
ashutosh-narkar
changed the title
|
|
||
| ### v0.x compatibility mode in Rego package | ||
|
|
||
| There are three ways to enable v0.x compatibility mode in the [Rego package](https://pkg.go.dev/github.com/open-policy-agent/opa/rego): |
There was a problem hiding this comment.
I wonder if we need this section at all. The old OPA API will retain the v0 behaviour, and you need to update your code to import the v1 packages to get the new v1 behaviour.
The techniques described here are however a good primer on how to manually control the applied rego-version regardless of whether you're using the v0 or v1 parts of the API. Is there a place where they would fit in?
|
|
||
| ### v0.x compatibility mode in Rego package | ||
|
|
||
| There are three ways to enable v0.x compatibility mode in the [Rego package](https://pkg.go.dev/github.com/open-policy-agent/opa/rego): |
There was a problem hiding this comment.
OK maybe we shouldn't drop the section completely; it's probably worthwhile mentioning that the old parts of the API forks as before, to soothe some nerves.
We're gonna need to find a good place for describing the v1 API, though.
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
e31b7d3 to
1e835ab
Compare
Maybe Integrating OPA section? |
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
1e835ab to
427330f
Compare
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
cfb3749 to
6d9847d
Compare
charlieegan3
force-pushed
the
1.0-docs
branch
from
d8ea86c to
adba53c
Compare
ashutosh-narkar
force-pushed
the
1.0-docs
branch
from
ef9d8b7 to
09d5a2f
Compare
docs/content/cli.md
Outdated
There was a problem hiding this comment.
Will this get regenerated? cc @johanfylling @charlieegan3
There was a problem hiding this comment.
I have rebased and regenerated it now. I have pushed directly to the branch.
This changes updates the docs and all the policy examples in them to be OPA v1.0-compliant. It also binds the OPA server to `localhost` interface by default per OPA v1.0 specs. Co-authored-by: Charlie Egan <[email protected]> Signed-off-by: Ashutosh Narkar <[email protected]>
charlieegan3
force-pushed
the
1.0-docs
branch
from
09d5a2f to
07d416e
Compare
Signed-off-by: Charlie Egan <[email protected]>
This changes updates the docs and all the policy examples in them to
be OPA v1.0-compliant. It also binds the OPA server to
localhostinterface by default per OPA v1.0 specs.
Co-authored-by: Charlie Egan [email protected]
Signed-off-by: Ashutosh Narkar [email protected]