-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
wasm/PE question #5556
Comments
The optimization build assumes that all that is known can be evaluated already. The optimizer tries to figure out the unknowns on its own, and uses this method:
So if you build your optimized bundle from just the one rego file, the bundle root is Now, doing partial evaluation with the assumption that only package test
default doc_allow = false because since However, the outcome you get for building the wasm bundle is still a surprise to me, since it works locally here. What's your OPA version?
The policy.wasm file is the compiled policy, and it needs to know how to display errors. I'm afraid your digging the wrong whole there. If you want to examine the output of PE, check What you need to do is to declare your bundle's roots in a bundle manifest, and repeat the steps above. If the manifest is correct and declares a bundle root different from |
Thank you, Stephan, for the detailed explanation. When I open policy file which extracted from bundle.tar.gz .
Do you mean bundle.tar.gz(wasm) retained "unknows" -> data.c.tent, the partial evaluation will work? I'd like to test it out before moving the second step(dotnet-opa-wasm change. Do you have any easy way to test it out ? Let me further simplify test.rego
For the test policy, I provide. the unknown is "data.c.tent" (partial evaluation),
Again, many thanks! |
What you find in the policy.wasm file is irrelevant. The strings need to be there in case that error happens in the evaluation of the wasm bundle. Have you tried setting bundle roots for the first step? |
Thank you, Stephan! I'm able to get bundle.tar.gz based on your steps. I'm just wondering if I can test if partial evaluation working before going to the next step (dotnet-opa-wasm change). |
OK taking a step back here -- before you run into the wrong direction because I've misguided you: What is it you're trying to achieve with partial evaluation? |
I tried to leverage partial evaluation results to generate cosmos DB query's where clause. Here is my example with no wasm, opa run as sidecar: test.rego
This is data mapping (data.reports)
Here is OPA compile post request
(input.json)
Parser the Result Queries
so the cosmosDB query will be
The reason we use wasm is we do not want to run opa as sidecar.
Please reference: |
OK, so we've taken the wrong turn here:
Wasm bundles by their very nature are compiled policies. There's no way to partially evaluate them, because all the original Rego is gone. Hence there is nothing to be done in any of the Wasm SDKs to fix this. The only thing you could try here, I suppose, is to compile the topdown interpreter, i.e. the thing that does the partial evaluation in OPA, into Wasm, using golang's Wasm support. However, that's not a thing anybody tried before, so I'm not aware of how bumpy that road is going to be. |
We adopt Partial Evaluation (performance reason) while opa run as a sidecar. but some of our use cases do not support sidecars. so we have to run everything in one process. that's why we decide to opa build as wasm bundle. We expected the same policy eval have some results. |
@srenatus Can you suggest if there is any other approach partial evaluation work but OPA and app(dotnet) run in one process? |
You cannot put the interpreter that's doing the partial evaluation, a golang library, into any other program, I'm afraid. You could go the experimental topdown-via-wasm route outlined above. That aside, there might be more to explore between embedding (which might be impossible) and having a side-car. Like, can you shell out an |
Do you mean dotnet app to invoke Golang should work but there is some effort there.
|
I just want to be on the same page #3407 Support Partial Evaluation in WASM is impossible, right? If yes, I suggested documenting it. |
Yes. Your golang example would roughly translate to this (with input.json containing your
|
Thank you, Stephan. I need help here on cli opa eval. Based on rego, data and input defined here : #5556 (comment)
I always got
I tried --format as source but get empty return.
|
That rego file needs different unknowns. I've come up with those parameters based on your Golang calls from #5556 (comment) Try |
Thank you.
and
I did not get the expected partial eval result but result like below
|
|
I got the same result after add "-u data.data" (-u data.c,data.data get error)
|
OK I took another stab at it. I hadn't noticed that your reports are known. Try this: test.rego package test
default doc_allow := false
doc_allow := true {
input.operation == "read"
data.c.tent == data.reports[input.doc.id]
} reports.json {
"reports": {
"2": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxa",
"3": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxb"
}
} input.json {
"operation": "read",
"doc": {
"id": "2"
}
} ⏬
|
Thank you so much! |
Please be aware that there are other output formats: Source:
JSON (default):
|
Thank you so much for your great help, Stephan! It is not an easy job to make partial evaluation CLI work with all these combinations of parameters. |
Happy to see things resolved eventually. If there's anything left actionable here, let me know, and I'll reopen. Closing for now :) |
I tried your workaround (#3407 (comment)), but unfortunately, partial evaluation is still not retained.
test.rego is my test rego policy which contains partial evaluation:
Here is I executed your suggested commands
opa build -e "test/doc_allow" -O2 -o bundle.tar.gz test.rego
->it did generate bundle.tar.gz
opa build -t wasm -e "test/doc_allow" bundle.tar.gz
error: entrypoint "test/doc_allow" does not refer to a rule or policy decision
-> partial evaluation is not retained.
I dig a little bit more. I saw "policy.wasm" contains error like "ï�result op query doc id c tent data � � � PÒ� � � WÒ� � � ZÒ� � � `Ò� � � dÒ� � � gÒ� � � iÒ� � � nÒ� test.rego test/doc_allow var assignment conflict object insert conflict internal: illegal entrypoint id A¿¦
#{"g0": {"test": {"doc_allow": 74}}} "
Here are the steps how I got policy.wasm and found the error:
Originally posted by @pzou19741 in #3407 (comment)
The text was updated successfully, but these errors were encountered: