Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rego: Parse store modules iff modules set on the Rego object #6081

Merged
merged 1 commit into from Jul 7, 2023
Merged

rego: Parse store modules iff modules set on the Rego object #6081

merged 1 commit into from Jul 7, 2023

Conversation

ashutosh-narkar
Copy link
Member

Currently we parse store modules irrespective of whether there are modules on the Rego object. This will result in the compilation of those modules which triggers the bundle activation flow. Now as part of the module compilation we interact with the compiler's modules and run compilation on the input modules. If let's say there are concurrent health check requests (ie. /v1/health), this could result in a race during the compilation process while working with the compiler's modules.

This change avoids this situation by skipping parsing of the store modules when none are set on the Rego object. The assumption this change makes is that while using the rego package the compiler and store are kept in-sync.

Fixes: #5868

Notes to assist PR review:

The PR reverts this change. The following sample code provides one way to address the issue mentioned in #5511:

package main

import (
	"context"
	"fmt"

	"github.com/open-policy-agent/opa/ast"
	"github.com/open-policy-agent/opa/rego"
	"github.com/open-policy-agent/opa/storage"
	"github.com/open-policy-agent/opa/storage/inmem"
)

func main() {
	ctx := context.Background()

	store := inmem.New()

	txn, err := store.NewTransaction(ctx, storage.WriteParams)
	if err != nil {
		panic(err)
	}

	err = store.UpsertPolicy(ctx, txn, "a.rego", []byte("package a\ndefault allow := true"))
	if err != nil {
		panic(err)
	}

	err = store.Commit(ctx, txn)
	if err != nil {
		panic(err)
	}

	compiler, err := ast.CompileModules(map[string]string{
		"a.rego": "package a\ndefault allow := true",
	})

	if err != nil {
		panic(err)
	}

	query := rego.New(
		rego.Store(store),
		rego.Compiler(compiler),
		rego.Query("data.a.allow"),
	)

	results, err := query.Eval(ctx)
	if err != nil {
		panic(err)
	}

	fmt.Println("allowed:", results.Allowed())
}
Outtput:

allowed: true

@netlify
Copy link

netlify bot commented Jul 7, 2023
edited

Deploy Preview for openpolicyagent ready!

Name Link
🔨 Latest commit a1f687b
🔍 Latest deploy log https://app.netlify.com/sites/openpolicyagent/deploys/64a76edd8ac9130008389892
😎 Deploy Preview https://deploy-preview-6081--openpolicyagent.netlify.app/docs/edge/configuration
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@ashutosh-narkar
rego: Parse store modules iff modules set on the Rego object
a1f687b 
Currently we parse store modules irrespective of whether
there are modules on the Rego object. This will result in
the compilation of those modules which triggers the bundle
activation flow. Now as part of the module compilation
we interact with the compiler's modules and run compilation
on the input modules. If let's say there are concurrent health
check requests (ie. /v1/health), this could result in a race
during the compilation process while working with the compiler's
modules.

This change avoids this situation by skipping parsing of the store
modules when none are set on the Rego object. The assumption this
change makes is that while using the rego package the compiler and
store are kept in-sync.

Fixes: open-policy-agent#5868

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
@ashutosh-narkar ashutosh-narkar merged commit 20612bb into open-policy-agent:main Jul 7, 2023
25 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@srenatus srenatus srenatus approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

fatal error: concurrent map iteration and map write
2 participants
@ashutosh-narkar @srenatus