Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for deleting data when publishing data updates #430

Open
maurice-freitag opened this issue Apr 12, 2023 · 1 comment
Open

Add support for deleting data when publishing data updates #430

maurice-freitag opened this issue Apr 12, 2023 · 1 comment

Comments

@maurice-freitag
Copy link

maurice-freitag commented Apr 12, 2023
edited

It is currently not possible to delete data in OPA once it has been added. The REST API supports this, the OPAL server's API does not. A workaround is to set the affected document to null or an empty array but, depending on the use-case, this is not ideal.

Example:

Given this data:

{ 
  "tenants": {
    "tenantA": { 
      "users": { 
        "userA": ["some_permission", "some_other_permission"], 
        "userB": [ "..." ] 
      }
    } 
  }
}

I would like to send a data update to the OPAL server that tempts the OPAL clients to call the aforementioned DELETE api in OPA:

{
    "entries": [
        {
           "topics": [ "users" ],
           "dst_path": "/tenants/tenantA/users/userA",
           "save_method": "DELETE"
        }
    ]
}

This is currently not an option and we're stuck with updating the data to reflect the change:

{
    "entries": [
        {
           "url": "http://some-api/tenants/tenantA/users/userA" // doesn't point to anything as the user has been deleted
           "topics": [ "users" ],
           "data": []
           "dst_path": "/tenants/tenantA/users/userA",
           "save_method": "PUT"
        }
    ]
}

We're left with the following data:

{ 
  "tenants": {
    "tenantA": { 
      "users": { 
        "userA": [ ], 
        "userB": [ "..." ] 
      }
    } 
  }
}

...which in our case inadvertently has an impact on our policies as we check for a user's mere existence within a tenant.

Requested changes to the public API:

  • valid save_method values should include "DELETE"
  • DataSourceEntry.url is required. Should be optional when using save_method="DELETE"
  • possibly change some wording, e.g. save_method and dst_path don't really make sense in the context of deleting data

Plus whatever is necessary internally to have the OPAL clients request deletion of the affected data in OPA. I'd be willing to open a PR if this change makes sense to you.
@orweis
Copy link
Contributor

orweis commented Apr 12, 2023

Thanks for opening this @maurice-freitag .

If you're willing to open a PR - that would be even more appreciated. 💪🙏

How about we keep 'save_method' as is for backward compatibly, and add something else (e.g. 'operation') that if included igonres save-method.

@maurice-freitag maurice-freitag mentioned this issue Apr 21, 2023
Closed
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added support for policy data deletion maurice-freitag/opal
2 participants
@orweis @maurice-freitag