opa icon indicating copy to clipboard operation
opa copied to clipboard

Published 20 hours ago verified publisher icon open-policy-agent

Status of the statement "GraphQL API Authorization with OPA is currently experimental"

Open mlcooper opened this issue 4 months ago • 7 comments

What is the underlying problem you're trying to solve?

Hi OPA team, this more of a question. Does this statement still hold true on this page? Is it still officially experimental?

GraphQL API Authorization with OPA is currently experimental and the following tutorial is intended for demonstration purposes only

Describe the ideal solution

Confirm that it is still experimental, or if not, update the document to reflect what state it's in, ie alpha, beta, prod.

mlcooper avatar Feb 12 '24 21:02 mlcooper

I believe it is still experimental but @philipaconrad can you please confirm?

ashutosh-narkar avatar Feb 12 '24 21:02 ashutosh-narkar

Hi there! You're not the first one to ask, so I agree — we should probably phrase that differently. I believe the meaning of that disclaimer is more or less to say that these functions are... different from what one may be used to compared to other built-in functions, as you're basically dealing with an AST represenation. As they are published built-in functions, they're not likely to be removed or anything like that.

anderseknert avatar Feb 12 '24 21:02 anderseknert

So adding more context to that statement would be helpful then.

ashutosh-narkar avatar Feb 12 '24 21:02 ashutosh-narkar

@anderseknert thanks for the clarification. The reason why I'm asking is that we are currently planning on adopting OPA for GraphQL API Authorization, however when we found the "experimental" statement today, it gave us pause. So we wanted to inquire about the status of that statement.

mlcooper avatar Feb 12 '24 22:02 mlcooper

@mlcooper I'd characterize the graphql builtins as fairly stable (we're not going to rip it out any time soon!), but the graphql APIs aren't exactly as user-friendly as most of the other sets of builtin functions in OPA. :sweat_smile: They exist mainly to take an "impossible" situation in Rego (parsing GraphQL) and make it at least possible to do.

As @anderseknert noted, the API requires working with an Abstract Syntax Tree representation of the incoming GraphQL query, which can be inconvenient or difficult in OPA/Rego for some more complex cases.

philipaconrad avatar Feb 14 '24 17:02 philipaconrad

@philipaconrad as this has been raised a few times now, perhaps we should update that text somewhat? I feel like we can explain how they're different (and possibly difficult to use) without labeling them as experimental. It seems unlikely that they'd be removed at this point, or what would you say?

anderseknert avatar Feb 14 '24 17:02 anderseknert

This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. Although currently inactive, the issue could still be considered and actively worked on in the future. More details about the use-case this issue attempts to address, the value provided by completing it or possible solutions to resolve it would help to prioritize the issue.

stale[bot] avatar Mar 16 '24 10:03 stale[bot]