opal
opal copied to clipboard
OPAL need to alert the user if the policy bundle is invalid
For example - if multiple .rego files have the same package name - OPAL will not complain but OPA will not allow it. So, invalid configuration is caught during runtime - it should be caught during startup.
e.g: in multi-tenant policy setup: /global/rbac.rego should have different package name than /tenants/tenant1/rbac.rego - otherwise OPA will return 400 when applying the bundle.
Need to think how to avoid drift from OPA - i.e. if we rebuild the rules for a valid bundle into OPAL, it will end up gradually drifting from OPA as the folks there update the project. Also there might be a difference of valid policies between versions of OPA.
Ideally if we can have OPAL test this via OPA, and communicate back its response- it would probably be better