Translate api not working for a deny policy
I am testing the translate api for 2 simple cases:
- Add two simple partition search policy rego files:
search1.rego:
package osdu.partition["osdu"].search1
default allow = false
allow = true {
input.operation == "view"
input.record.acl.viewers[_]==input.groups[_]
}search2.rego (call it a deny policy):
package osdu.partition["osdu"].search2
default allow = false
default deny = false
deny = true {
input.operation == "view"
input.record.acl.viewers[_]==input.groups[_]
}
allow = true {
deny == false
}- Call translate api for the following input file against policy 'search1':
search_input1.json:
{
"query": "data.osdu.partition[\"osdu\"].search1.allow == true",
"input": {
"operation": "view",
"groups": [
"data.default.owners@osdu.example.com",
"data.default.viewers@osdu.example.com"
]
},
"unknowns": [
"input.record"
]
}The translate api returns the good ES subquery:
{
"query": {
"bool": {
"should": [
{
"bool": {
"filter": [
{
"terms": {
"acl.viewers": [
"data.default.owners@osdu.example.com",
"data.default.viewers@osdu.example.com"
]
}
}
]
}
}
]
}
}
}- Call translate api for the following input file (same as in step 2) against policy 'search2':
search_input2.json:
{
"query": "data.osdu.partition[\"osdu\"].search2.allow == true",
"input": {
"operation": "view",
"groups": [
"data.default.owners@osdu.example.com",
"data.default.viewers@osdu.example.com"
]
},
"unknowns": [
"input.record"
]
}The translate api returns the error msg:
{"detail":"An error occurred when talking translate service. 'data'"}We are expecting it to return a query like:
{
"query": {
"bool": {
"must_not": [
{
"bool": {
"should": [
{
"bool": {
"filter": [
{
"terms": {
"acl.viewers": [
"data.default.owners@osdu.example.com",
"data.default.viewers@osdu.example.com"
]
}
}
]
}
}
]
}
}
]
}
}
}The current translate api seems not working against a deny policy.
Edited by Dadong Zhou