opal icon indicating copy to clipboard operation
opal copied to clipboard

Published 20 hours ago verified publisher icon permitio

OPAL .manifest file is in conflict by name with OPA .manifest file

Open ztepsic opened this issue 1 year ago • 3 comments

OPAL is defining .manifest file which is in conflict by name with .manifest file defined by OPA.

It means that you can only have one .manifest file, defined either for OPA or OPAL and not for both.

Example of OPAL .manifest file:

utils.rego
rbac.rego

Example of OPA .manifest file:

{
  "revision" : "7864d60dd78d748dbce54b569e939f5b0dc07486",
  "roots": ["roles", "http/example/authz"]
}

If using VS Code Open Policy Agent plugin with "OPA: Test Workspace" command, OPA will complain about OPAL .manifest file that contains invalid content since it expects json

unable to load bundle file: ...
bundle load failed on manifest decode: invalid character 'some caracter' looking for beginning of value

ztepsic avatar Feb 08 '23 10:02 ztepsic

Hi @ztepsic :) -

You can simply set the OPAL manifest file to a different path using OPAL_POLICY_REPO_MANIFEST_PATH See the docs here: https://docs.opal.ac/tutorials/track_a_git_repo#policy-bundle-manifest---serving-dependant-policy-modules

Please close this issue if this resolves the problem for you; Please share more information if it doesn't.

orweis avatar Feb 08 '23 11:02 orweis

But this is only

Hi @ztepsic :) -

You can simply set the OPAL manifest file to a different path using OPAL_POLICY_REPO_MANIFEST_PATH See the docs here: https://docs.opal.ac/tutorials/track_a_git_repo#policy-bundle-manifest---serving-dependant-policy-modules

Please close this issue if this resolves the problem for you; Please share more information if it doesn't.

This can be solution only for OPAL root .manifest file, but there can be OPAL .manifest files in subfolders, what is also causing issues.

The format of the .manifest file you should adhere to:

  • File encoding should be standard (i.e: UTF-8)
  • Lines should be separated with newlines (\n character) Each line should contain a path, relative to the .manifest file, which could be one of the following:
    • A policy / data file (i.e: a .rego file or data.json file).
    • A folder, containing another .manifest file to be loaded recursively.
  • File paths should appear in the order you want to load them into OPA.
  • If your root .manifest file is at another path, you can set another value to the env var OPAL_POLICY_REPO_MANIFEST_PATH (either a file path, or a folder path containing a .manifest file).

ztepsic avatar Feb 08 '23 12:02 ztepsic

True - you can have sub manifests file - but you don't have to - you can use one just in the root folder.

I guess we can add an option via another ENV_VAR to search for a different file name in the recursive folders: https://github.com/permitio/opal/blob/422d45cd4edd72ead23e2de42cb4d3d1887d8ac2/packages/opal-common/opal_common/git/bundle_maker.py#L92

Would you be interested in doing a Pull-Request for this?

I'm also open to other solutions you'd like to suggest.

orweis avatar Feb 08 '23 12:02 orweis