Re: [PR] docs: Add a quick start guide for OPA http filter [dubbo-go-pixiu]

via GitHub Sat, 06 Sep 2025 04:36:07 -0700


Copilot commented on code in PR #751:
URL: https://github.com/apache/dubbo-go-pixiu/pull/751#discussion_r2327026181



##########
docs/user/filter/opa.md:
##########
@@ -0,0 +1,117 @@
+- # OPA Filter (dgp.filter.http.opa)
+
+  [English](opa.md) · [中文](opa_CN.md)
+

Review Comment:
   Remove the extra dash character at the beginning of the line. The heading 
should start directly with `#`.
   ```suggestion
   # OPA Filter (dgp.filter.http.opa)
   
     [English](opa.md) · [中文](opa_CN.md)
   
   ```



##########
docs/user/filter/opa.md:
##########
@@ -0,0 +1,117 @@
+- # OPA Filter (dgp.filter.http.opa)
+
+  [English](opa.md) · [中文](opa_CN.md)
+
+  ---
+
+  ## English
+
+  ### Overview
+  The `dgp.filter.http.opa` filter delegates authorization decisions to Open 
Policy Agent (OPA) via a Rego policy. This filter evaluates requests and 
determines whether to allow or deny based on the policy defined in Rego. The 
policy is provided as an inline Rego module and evaluated using OPA's built-in 
query engine.

Review Comment:
   Remove the leading spaces for consistent left-aligned text formatting.
   ```suggestion
   The `dgp.filter.http.opa` filter delegates authorization decisions to Open 
Policy Agent (OPA) via a Rego policy. This filter evaluates requests and 
determines whether to allow or deny based on the policy defined in Rego. The 
policy is provided as an inline Rego module and evaluated using OPA's built-in 
query engine.
   ```



##########
docs/user/filter/opa.md:
##########
@@ -0,0 +1,117 @@
+- # OPA Filter (dgp.filter.http.opa)
+
+  [English](opa.md) · [中文](opa_CN.md)
+
+  ---
+
+  ## English
+
+  ### Overview
+  The `dgp.filter.http.opa` filter delegates authorization decisions to Open 
Policy Agent (OPA) via a Rego policy. This filter evaluates requests and 
determines whether to allow or deny based on the policy defined in Rego. The 
policy is provided as an inline Rego module and evaluated using OPA's built-in 
query engine.
+
+  ### What the filter does (current behavior)
+  - Loads a Rego **module string** from `config.policy`.
+  - Builds a Rego **query** from `config.entrypoint`.
+  - For each incoming request, constructs an `input` object and evaluates the 
query.
+  - If the query result is `true`, the request is allowed. Otherwise, the 
request is denied.
+
+  > There is **no built-in support** for external policy files or URIs, custom 
HTTP status codes, or custom error bodies.
+
+  ### Configuration schema
+  Add the filter under your HTTP connection manager’s `http_filters` list.
+
+  ```yaml
+  filters:
+    - name: dgp.filter.httpconnectionmanager
+      config:
+        route_config:
+          # ... your routes
+        http_filters:
+          - name: dgp.filter.http.opa
+            config:
+              policy: |
+                package http.authz
+  
+                default allow = false
+  
+                allow {
+                  input.method == "GET"
+                  input.path == "/status"
+                }
+              entrypoint: "data.http.authz.allow"
+          # HTTP proxy filter should be after OPA filter
+          - name: dgp.filter.http.proxy
+            config:
+
+#### Fields
+

Review Comment:
   The YAML configuration example is incomplete - missing the closing structure 
for the proxy filter config section. Consider adding a comment like `# ... 
proxy config` or proper YAML structure.
   ```suggestion
             - name: dgp.filter.http.proxy
               config:
                 # ... proxy config
   
   #### Fields
   
   ```



##########
docs/user/filter/opa.md:
##########
@@ -0,0 +1,117 @@
+- # OPA Filter (dgp.filter.http.opa)
+
+  [English](opa.md) · [中文](opa_CN.md)
+
+  ---
+
+  ## English
+
+  ### Overview
+  The `dgp.filter.http.opa` filter delegates authorization decisions to Open 
Policy Agent (OPA) via a Rego policy. This filter evaluates requests and 
determines whether to allow or deny based on the policy defined in Rego. The 
policy is provided as an inline Rego module and evaluated using OPA's built-in 
query engine.
+
+  ### What the filter does (current behavior)
+  - Loads a Rego **module string** from `config.policy`.
+  - Builds a Rego **query** from `config.entrypoint`.
+  - For each incoming request, constructs an `input` object and evaluates the 
query.
+  - If the query result is `true`, the request is allowed. Otherwise, the 
request is denied.
+
+  > There is **no built-in support** for external policy files or URIs, custom 
HTTP status codes, or custom error bodies.
+
+  ### Configuration schema
+  Add the filter under your HTTP connection manager’s `http_filters` list.
+
+  ```yaml
+  filters:
+    - name: dgp.filter.httpconnectionmanager
+      config:
+        route_config:
+          # ... your routes
+        http_filters:
+          - name: dgp.filter.http.opa
+            config:
+              policy: |
+                package http.authz
+  
+                default allow = false
+  
+                allow {
+                  input.method == "GET"
+                  input.path == "/status"
+                }
+              entrypoint: "data.http.authz.allow"
+          # HTTP proxy filter should be after OPA filter
+          - name: dgp.filter.http.proxy
+            config:
+
+#### Fields
+
+- **`policy`** *(string, required)*
+  - **Meaning:** The **Rego module source code** (inline string). Loaded via 
`rego.Module("policy.rego", policy)`.
+  - **Datatype:** `string` (multiline YAML recommended with `|`).
+  - **Notes:** File paths or bundle URIs are **not supported**.
+- **`entrypoint`** *(string, required)*
+  - **Meaning:** The **Rego query string** passed to `rego.Query(...)`. Should 
be a valid query like `data.<package>.<rule>` (e.g., `data.http.authz.allow`).
+  - **Datatype:** `string`.
+
+#### Decision contract
+
+- If the query result is a non-empty set whose first expression value is 
**`true`**, the request **continues**.
+- Otherwise (empty results or value ≠ `true`), the filter **stops** (request 
denied).
+
+### Policy input
+
+The filter constructs an `input` object with the following keys, which 
correspond to the HTTP request.
+
+```
+input.method       # HTTP method string

Review Comment:
   The indentation with spaces before the language links, horizontal rule, and 
section heading is inconsistent with standard Markdown formatting. These 
elements should be aligned to the left margin.
   ```suggestion
   [English](opa.md) · [中文](opa_CN.md)
   
   ---
   
   ## English
   
   ### Overview
   The `dgp.filter.http.opa` filter delegates authorization decisions to Open 
Policy Agent (OPA) via a Rego policy. This filter evaluates requests and 
determines whether to allow or deny based on the policy defined in Rego. The 
policy is provided as an inline Rego module and evaluated using OPA's built-in 
query engine.
   
   ### What the filter does (current behavior)
   - Loads a Rego **module string** from `config.policy`.
   - Builds a Rego **query** from `config.entrypoint`.
   - For each incoming request, constructs an `input` object and evaluates the 
query.
   - If the query result is `true`, the request is allowed. Otherwise, the 
request is denied.
   
   > There is **no built-in support** for external policy files or URIs, custom 
HTTP status codes, or custom error bodies.
   
   ### Configuration schema
   Add the filter under your HTTP connection manager’s `http_filters` list.
   
   ```yaml
     filters:
       - name: dgp.filter.httpconnectionmanager
         config:
           route_config:
             # ... your routes
           http_filters:
             - name: dgp.filter.http.opa
               config:
                 policy: |
                   package http.authz
     
                   default allow = false
     
                   allow {
                     input.method == "GET"
                     input.path == "/status"
                   }
                 entrypoint: "data.http.authz.allow"
             # HTTP proxy filter should be after OPA filter
             - name: dgp.filter.http.proxy
               config:
   
   #### Fields
   
   - **`policy`** *(string, required)*
     - **Meaning:** The **Rego module source code** (inline string). Loaded via 
`rego.Module("policy.rego", policy)`.
     - **Datatype:** `string` (multiline YAML recommended with `|`).
     - **Notes:** File paths or bundle URIs are **not supported**.
   - **`entrypoint`** *(string, required)*
     - **Meaning:** The **Rego query string** passed to `rego.Query(...)`. 
Should be a valid query like `data.<package>.<rule>` (e.g., 
`data.http.authz.allow`).
     - **Datatype:** `string`.
   
   #### Decision contract
   
   - If the query result is a non-empty set whose first expression value is 
**`true`**, the request **continues**.
   - Otherwise (empty results or value ≠ `true`), the filter **stops** (request 
denied).
   
   ### Policy input
   
   The filter constructs an `input` object with the following keys, which 
correspond to the HTTP request.
   
   ```
   input.method       # HTTP method string
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscr...@dubbo.apache.org
For additional commands, e-mail: notifications-h...@dubbo.apache.org

Re: [PR] docs: Add a quick start guide for OPA http filter [dubbo-go-pixiu]

Reply via email to