opa icon indicating copy to clipboard operation
opa copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Allow multiple imports on a single line

Open anderseknert opened this issue 1 year ago • 4 comments

It would be nice enhancement if there was support for importing multiple rules, or future keywords on a single line. As it currently stands, explicitly importing all the future keywords — which we recommend over the "catch all" import — plus any rules or functions required from other packages, is a bit verbose, and tends to distract from what's important when demonstrating policy authoring. I.e. rather than having to do something like:

package policy

import future.keywords.every
import future.keywords.contains
import future.keywords.if

import data.other.policy.foo
import data.other.policy.bar as b

deny contains "not on my watch!" if {
    every x in foo {
        x == b
    }
}

One would be able to do something like:

package policy

import future.keywords [every, contains, if]

import data.other.policy [foo, bar as b]

deny contains "not on my watch!" if {
    every x in foo {
        x == b
    }
}

Open to suggestions on the syntax — whatever looks best on a single line is fine with me :)

anderseknert avatar Sep 07 '22 13:09 anderseknert

The obvious alternative... but I don't know python so this might or might not be similar enough.

from future.keywords import [every, contains, if]

srenatus avatar Sep 07 '22 13:09 srenatus

Yeah, that'd be nice... although it would require the use of a new from keyword... and it's not clear how that could be imported

from future.keywords import [from]

😆

anderseknert avatar Sep 07 '22 13:09 anderseknert

There's also Haskell's import syntax. They allow qualified, unqualified, and renamed imports, as well as the ability to import all names except a selection from the other module, which is interesting.

philipaconrad avatar Sep 11 '22 20:09 philipaconrad

Yeah.. another request that's come up a few times is to forbid imports that don't "resolve" to something, like... I guess something close to how PHP differentiates between "import" and "require". Or to be able to exclude something from the stdlib or a keyword, in order to use that for your own custom functions or rules. Both could be useful, but let's keep the scope to multiple imports for this issue 😄

This is not much of a problem in "production" policies, but it would help a lot with providing concise, copy-pasteable snippets, like in the Rego Style Guide, or as shown in presentations and demos.

anderseknert avatar Sep 11 '22 21:09 anderseknert

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days.

stale[bot] avatar Oct 19 '22 12:10 stale[bot]

This is quite an interesting one, I might play around with this if its okay and see if I can make something cool :smile:

Parsifal-M avatar Oct 31 '22 14:10 Parsifal-M

I'd love to see it @Parsifal-M 😃

anderseknert avatar Oct 31 '22 16:10 anderseknert

Is there consensus on how to do it? I presume we'll go with

import future.keywords [every, contains, if]

import data.other.policy [foo, bar as b]

srenatus avatar Nov 01 '22 10:11 srenatus

Is there consensus on how to do it? I presume we'll go with

import future.keywords [every, contains, if]

import data.other.policy [foo, bar as b]

question

This is what I had in mind to try out :+1: , LMK if you think otherwise.

Parsifal-M avatar Nov 01 '22 11:11 Parsifal-M

It's fine. I just wanted everyone to be on the same page.

I think an interesting question here is capabilities: How can we introduce this change so that the user can take the capabilities file of some OPA version before this feature was introduced, and have it fail in a sensible way?

(Usually, you'll have a myriad of OPA versions running in your installation, and you'd take the oldest running version's capabilities file when bundling policies for your fleet.)

srenatus avatar Nov 01 '22 11:11 srenatus