Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide headers in input to authorization policy #1456

Closed
tsandall opened this issue May 30, 2019 · 3 comments · Fixed by #1461
Closed

Provide headers in input to authorization policy #1456

tsandall opened this issue May 30, 2019 · 3 comments · Fixed by #1461
Assignees
@tsandall

Comments

@tsandall
Copy link
Member

Currently the HTTP server does not provide the HTTP headers of incoming requests to the authorization policy. If users want to inspect custom headers to control access to OPA itself, they cannot. We can extend OPA to expose the headers to the policy as a map of string arrays.
@tsandall tsandall self-assigned this May 30, 2019
tsandall added a commit to tsandall/opa that referenced this issue Jun 1, 2019
@tsandall
server: Add request headers to authorization input
c1af276 
These changes update the server to include request headers in the
authorization input document.

Fixes open-policy-agent#1456

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
@tsandall tsandall mentioned this issue Jun 1, 2019
Merged
tsandall added a commit that referenced this issue Jun 3, 2019
@tsandall
server: Add request headers to authorization input
d821d80 
These changes update the server to include request headers in the
authorization input document.

Fixes #1456

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
@benhass benhass mentioned this issue Apr 19, 2023
Closed
@phil-lee-kb
Copy link

phil-lee-kb commented May 19, 2023
edited
Loading

Hi there @tsandall. I've seen a few questions around how to access the http headers from an OPA policy rego and came upon this thread. I had thought that I might be able to access the incoming http headers via input.headers, or input.request.headers in my own custom policies, but am I right in thinking that the headers are actually only available to the system.authz policy? Whereas if I write my own policy e.g. phil.rego, if I want it to have access to the http headers, the consumer has to provide them as part of the input object? There are other references to an envoy plugin, but I'm presuming that's doing some sort of proxying where it takes the actually http headers and adds them to the input object then forwards onto OPA? Thanks in advance

@anderseknert
Copy link
Member

@phil-lee-kb that's correct — you'll need to provide any data required for evaluation as part of the request body. Remember that running as a server is only one of many ways OPA may operate, and having headers included in the input would couple your policy to a single mode of operation (opa run --server). Other evaluation contexts where headers aren't available include (but probably not limited to):

  • opa eval
  • opa exec
  • opa test (although headers could probably be mocked here)
  • opa run (REPL)
  • opa bench
  • Tools like IDEs, editors, the Rego Playground, etc

Having the client add relevant data to the body might be a bit of a burden, but the upside is that your policy isn't coupled to any specific evaluation context, and may run in any of the above.

@phil-lee-kb
Copy link

@phil-lee-kb that's correct — you'll need to provide any data required for evaluation as part of the request body. Remember that running as a server is only one of many ways OPA may operate, and having headers included in the input would couple your policy to a single mode of operation (opa run --server). Other evaluation contexts where headers aren't available include (but probably not limited to):

  • opa eval
  • opa exec
  • opa test (although headers could probably be mocked here)
  • opa run (REPL)
  • opa bench
  • Tools like IDEs, editors, the Rego Playground, etc

Having the client add relevant data to the body might be a bit of a burden, but the upside is that your policy isn't coupled to any specific evaluation context, and may run in any of the above.

Thank you @anderseknert 😄 When you put it in that context, it makes perfect sense that the headers aren't available. And also makes for a consistent experience across things like the rego playground and when running OPA itself

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsandall tsandall

Labels
None yet
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

server: Add request headers to authorization input tsandall/opa
3 participants
@tsandall @anderseknert @phil-lee-kb