docs: Add section on how to express "FOR ALL" in Rego #1527
Conversation
| There must be no apps named "bitcoin-miner". | ||
| ``` | ||
|
|
||
| You may start by defining a rule named `no_bitcoin_miners` like so: |
There was a problem hiding this comment.
Better if it's clearer that this is the mistake...
"A common mistake is to try encoding the following with the rule named no_bitcoin_miners like so:"
| } | ||
| ``` | ||
|
|
||
| Unfortunately this rule is incorrect. You can see this by testing the rule: |
There was a problem hiding this comment.
Might also use some to show that this is incorrect....
"It becomes clear that this is incorrect when you use the some keyword, because the rule is true whenever there is some app that is not a bitcoin-miner."
no_bitcoin_miners {
some i
app := apps[i]
app.name != "bitcoin-miner"
}
```
| quantified_. This means that rule bodies and queries express FOR ANY and not FOR | ||
| ALL. To express FOR ALL in Rego use [Negation](#negation) and a bit of basic | ||
| logic: | ||
|
|
There was a problem hiding this comment.
How about a bridge that gives the english version before the 2 complements:
"For this policy, you define a rule that finds if there exists a bitcoin-mining app (which is easy using the some keyword). And then you use negation to check that there is NO bitcoin-mining app. Technically, you're using 2 negations and an existential quantifier, which is logically the same as a universal quanitfier."
| not any_bitcoin_miners | ||
| } | ||
|
|
||
| any_bitcoin_miners { |
There was a problem hiding this comment.
Maybe use some here for additional clarity
|
|
||
| > Whether you use negation or comprehensions to express FOR ALL is up to you. | ||
| > The comprehension version is more concise and does not require a helper rule | ||
| > while the negation version is more verbose but a bit simpler. |
There was a problem hiding this comment.
And the negation version allows for more complex logic: ORs
| #### For All | ||
|
|
||
| ```ruby | ||
| # assert no values in set match predicate |
There was a problem hiding this comment.
s/match predicate/make function f true
docs/content/language-cheatsheet.md
Outdated
| # assert no values in set match predicate | ||
| count({x | set[x]; f(x)}) == 0 | ||
|
|
||
| # assert all values in set match predicate |
There was a problem hiding this comment.
s/match predicate/make function f true
tsandall
force-pushed
the
fix-1307
branch
2 times, most recently
from
beca9a2 to
8819e19
Compare
This is a common question that comes up. Until we have a keyword that lets users express "FOR ALL" we should have docs we can point to. Fixes open-policy-agent#1307 Signed-off-by: Torin Sandall <torinsandall@gmail.com>
|
@timothyhinrichs thanks. Incorporated all of your feedback. Let me know if anything else should be changed before merging. |
|
Merge away
…On Thu, Jun 27, 2019 at 12:29 PM Torin Sandall ***@***.***> wrote:
@timothyhinrichs <https://github.com/timothyhinrichs> thanks.
Incorporated all of your feedback. Let me know if anything else should be
changed before merging.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1527?email_source=notifications&email_token=ACMVQK6WWVWWVVVKNHNUAJ3P4UILLA5CNFSM4H3YMBVKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYYELHY#issuecomment-506480031>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACMVQK2Q27OOR6C75QCEHHDP4UILLANCNFSM4H3YMBVA>
.
|
This is a common question that comes up. Until we have a keyword that
lets users express "FOR ALL" we should have docs we can point to.
Fixes #1307
Signed-off-by: Torin Sandall torinsandall@gmail.com