opa icon indicating copy to clipboard operation
opa copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Support wasi for wasm builds

Open kjartanm opened this issue 2 years ago • 3 comments

Support for wasm in OPA is great, and the js loader works well! Thanks! :D

But as support for more 'native' wasm execution on serveless using wasi is getting more support, it would be great if the build process also could support wasi ready builds.

Something like: opa build -t wasi -e example/allow example.rego ?

A usecase is the support for wasi on Cloudflare Workers: https://blog.cloudflare.com/announcing-wasi-on-workers/ where the request body maps to the input document and returns the result?

Support for wasi in OPA would mean that you could directly deploy a service with no JS-glue, and that could work similar to how the REST-API endpoint for query works.

kjartanm avatar Jul 24 '22 14:07 kjartanm

It's on my radar at least. I've been looking into ways to wrap, or basically link, the OPA wasm module into different shells, i.e. wasm modules that call the exported methods, like opa_eval, but expose an ABI that fits into other places. I think that way, we don't have to hardcore "wasi-for-cloudflare", "wasi-for-fastly", "wasi-for-xyz" into the OPA build command, but keep things composable.

Do you have a specific example use in mind?

srenatus avatar Jul 24 '22 14:07 srenatus

Yes, hopefully wasi will reduce the need for vendor specific implementations. Currently it seems using STDIN and STDOUT is the way to go. So a possible test case could be somethning like this:

If we use the Opa REST-API query example as a starting point (https://www.openpolicyagent.org/docs/latest/rest-api/#example-request-10), and compiles it to wasi-enabled wasm, it could be tested in the following way using wasmtime:

echo "{\"user\": [\"alice\"]}" | wasmtime run example1.wasm

should return "hello, alice".

And if this is deployed on cloudflare, the following should be equivalent:

curl -X POST -H "Content-Type: application/json" -d "{\"user\": [\"alice\"]}" http://example1.cloudflare.com
curl -X POST -H "Content-Type: application/json" -d "{\"user\": [\"alice\"]}" https://oparestapi.com/example1

Does this make sense?

kjartanm avatar Aug 28 '22 07:08 kjartanm

It does, but do we know of any other system that works like this? How are headers represented? (WAGI?)

And if this is deployed on cloudflare, the following should be equivalent: [...]

That's true, insofar as data is not involved. So we'd be able to make use of "stateless OPA" only.

srenatus avatar Aug 29 '22 07:08 srenatus

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] avatar Sep 28 '22 10:09 stale[bot]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] avatar Nov 26 '22 13:11 stale[bot]

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] avatar Apr 07 '23 09:04 stale[bot]