Instead of seeing who can access what, I want to setup policies that return how many connections are allowed per second, or, how much bandwidth is allowed. How do I define my policies to return values instead of true/false?
Asked
Active
Viewed 780 times
1 Answers
3
Complete rules are just if-then statements that assign a VALUE to a VARIABLE. When the VALUE is omitted, it's implicitly true:
allow { input.method == "GET" }
Is equivalent to:
allow = true { input.method == "GET" }
There is nothing special about allow or true though; you could similarly define a rule that sets the connections per second limit:
connections_per_second = 7 { input.tier == "gold" }
If you have multiple definitions just be aware that only one can succeed (otherwise OPA will raise a conflict error). You need to resolve the conflict inside of your policy. There are different ways of handling this, e.g., default, else, negation, etc.
tsandall
- 1,544
- 8
- 8
-
Thanks :) I see you answering a lot of OPA questions. Is Stack Overflow the best place to ask OPA questions, or is there some place else? – JD Allen Nov 02 '21 at 18:40
-
1SO is great because then other people can find the answer more easily. If you run into issues or have questions about features, then GitHub is a bit better. For Q&A like this, SO is perfect :) – tsandall Nov 02 '21 at 22:11
-
is there a way to add a schema to the return value? e.g. for cases where I need to return a JSON string, to make sure it has the 'expected' format – mhristache Aug 02 '22 at 19:47