You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When I was upgrading OPA to the version after 0.57.0, the custom input.other_token field in my code stopped working. The input is passed from the request after starting OPA. Now it cannot be started.
Examples:
Version: all versions after 0.57.0
Input: {"input": {"other_token": "Bearer xxx"}}
Policy:
bearer_token = t {
v := input.other_token
startswith(v, "Bearer ")
t := substring(v, count("Bearer "), -1)
}
Hi there! That schema is only checked for the system.authz package, which is used for authentication/authorization policies protecting OPA's own REST API. Using that package name for other purposes is not recommended, so if that's the case I would suggest renaming it to something else.
Thank you, I am not defined in system.authz; I am defined in jwt.rego. However, I imported data.utils.jwt in system.authz, which is why there is this issue. Because I want to share the jwt verify related code between system.authzand user policy checks.
That's interesting, and certainly a reasonable thing to do. I guess the workaround is to disable the schema check like you do alrrady, but I wonder what a better solution would look like. We could the check only on system.authz and sub-modules, but OTOH, there might be cases where you want to have the schema check extend also to dependencies 🤔
Short description
When I was upgrading OPA to the version after 0.57.0, the custom
input.other_token
field in my code stopped working. The input is passed from the request after starting OPA. Now it cannot be started.Examples:
-->
Expected behavior
OPA can start.
Additional context
I found it can be start by add
--skip-known-schema-check
, but this is not safe. I wonder if this can be resolved at the code level?The text was updated successfully, but these errors were encountered: