OPA conflicting policy

Question

I have written a sample rego code

default allow = false

allow {
  some username
  input.method = "GET"
  input.path =["example", username]
  input.user = username

}

allow {
  some username
  input.method = "GET"
  input.path = ["example", username]
  input.user != username

}

When I try to validate the policy using http://localhost:8181/v1/data/http/authz/allow API with Parameters

{
    "input": {
    "method": "GET",
    "path": ["example", "sara"],
    "user": "sara"
    }
}

and

{
    "input": {
    "method": "GET",
    "path": ["example", "sara"],
    "user": "notsara"
    }
}

I get the response : {"decision_id":"xxxxx","result":true}

Is this the expected result? Shouldn't there be an error if conflicting policies exist?

score 1 · Accepted Answer · answered Jun 17 '20 at 23:40

When you have multiple definitions for a rule, you are expressing a logical OR. As such, they are not conflicting; they are both evaluated, and if any of the rules matches, your result is positive.

A rule conflict happens when you try defining the same rule as a partial rule and as a complete rule:

allow {
  some username
  input.user = username
}

allow[id] {
  some username
  input.user != username
}

1 error occurred: module.rego:3: rego_type_error: conflicting rules named allow found

(the example wasn't very nice and doesn't really make sense, but I guess it works as an example)

OPA conflicting policy

1 Answers1