Improve rule index to support glob.match built-in #1496
Assignees
Labels
Comments
tsandall
added a commit
to tsandall/opa
that referenced
this issue
Jun 23, 2019
These changes update the rule index to support glob.match calls. The changes update the build step to transform glob.match(pattern, delimiter, match) calls into ref/value pairs like equality expressions. In addition, the build step creates a mapper function that transforms resolved values into lookup values during traversal. As part of these changes, the build operation has been refactored so that most of the process is encapsulated by a new refindices struct that's separate from the actual rule index/trie. Hopefully this makes the code easier to follow. The index build step for glob.match only recognizes statements where the match operand was given as a reference (and then was rewritten by the earlier step in the compiler.) If this is too brittle we could revisit the build step and close over all intermediate assignments. Fixes open-policy-agent#1496 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As mentioned in #1443 it's possible to implement an IAM-like policy and use partial evaluation to get good performance as long as subject/action/resource matching is limited to equality matching. However, currently, if matching is based on glob.match or regex the performance is poor because the rule indexer is ineffective.
We can extend the rule index to support the glob.match built-in function by generalizing the trie build step in the rule index.
For example:
The rule indexer can be extended to add edges in the trie for the pattern operand by representing the pattern string as an array (e.g.,
"foo:*:bar"becomes["foo", _, "bar"])In the initial implementation we can leave super globs out.
The text was updated successfully, but these errors were encountered: