-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail on unknown METADATA attributes when using strict-mode #5411
Comments
Great idea! Before introducing this additional strict mode check, though, I would advocate for an option to disable/ignore this specific check (at least temporarily), perhaps via OPA config. Reasoning: Once this metadata check is introduced, a project in the middle of this transition and currently running OPA in strict mode for other checks would now receive compiler errors. This would force the project maintainers to either:
Neither of those scenarios is desirable. Providing a method to disable/ignore specific strict mode checks would allow projects more flexibility when using strict mode. |
This issue has been automatically marked as inactive because it has not had any activity in the last 30 days. |
Wouldn't the same line of arguing hold true for any new check added to strict mode? The idea behind strict mode is that it will reject any policy that isn't compatible with a future More fine grained checks lives more in linter space, IMO. |
FWIW, this is an existing linter rule in Regal, and has been for quite some time. One problem with the current annotation "syntax" (for lack of a better word), and one that will be excacerbated by this strictness check IMHO: # METADATA
# title: foo
# TODO: remember to change this
# description: bar
package p This would fail the strictness check (and by all means, the Regal rule — although that allows configuring ignores, strict mode doesn't), but it's obviously not wrong to want to comment on something in a metadata annotation. I tried to address this by suggesting an alternative form for metadata annotations in #5402, which would also rid us of that COBOL/SQL-esque ## title: foo
# TODO: remember to change this
## description: bar
package p The more I've worked with metadata annotations, and it's been quite a lot in Regal and elsewhere, the more convinced I am this is a good idea. |
The compact format seems nice. We would still fail on unknown metadata attributes in strict mode but now at least you can mix in comments. Looks like a good change. @johanfylling WDYT? |
Alternatively, we flip it, and make double # METADATA
# title: foo
## TODO: remember to change this
# description: bar
package p |
To accommodate projects that are already using custom 1st level annotations, we should provide a way to opt-out; as refactoring might be a big undertaking. One way to accomplish that would be to introduce a new annotation for allowing unknown annotations outside of |
New `allow_unknown_annotations` annotation introduced to opt-out. Fixes: open-policy-agent#5411 Signed-off-by: Johan Fylling <[email protected]>
Closing this after discussion with @johanfylling. This check, and 70+ other linter rules to help enforce a more strict interpretation of Rego are already available in Regal, so adding it to strict mode would just be duplicating that logic. |
A danger of using custom annotations not organized into the
custom
annotation in aMETADATA
comment block is that your policy is vulnerable to future OPA updates. E.g. the following policy might be fine today:but a future OPA version might introduce the
severity
annotation, which might affect policy execution.A check in compiler strict-mode could be added, that'd cause a
check
command execution to fail if any unknownMETADATA
annotations is present.The text was updated successfully, but these errors were encountered: