permitio
Add support for deleting data when publishing data updates
It is currently not possible to delete data in OPA once it has been added. The REST API supports this, the OPAL server's API does not. A workaround is to set the affected document to null or an empty array but, depending on the use-case, this is not ideal.
Example:
Given this data:
{
"tenants": {
"tenantA": {
"users": {
"userA": ["some_permission", "some_other_permission"],
"userB": [ "..." ]
}
}
}
}
I would like to send a data update to the OPAL server that tempts the OPAL clients to call the aforementioned DELETE api in OPA:
{
"entries": [
{
"topics": [ "users" ],
"dst_path": "/tenants/tenantA/users/userA",
"save_method": "DELETE"
}
]
}
This is currently not an option and we're stuck with updating the data to reflect the change:
{
"entries": [
{
"url": "http://some-api/tenants/tenantA/users/userA" // doesn't point to anything as the user has been deleted
"topics": [ "users" ],
"data": []
"dst_path": "/tenants/tenantA/users/userA",
"save_method": "PUT"
}
]
}
We're left with the following data:
{
"tenants": {
"tenantA": {
"users": {
"userA": [ ],
"userB": [ "..." ]
}
}
}
}
...which in our case inadvertently has an impact on our policies as we check for a user's mere existence within a tenant.
Requested changes to the public API:
- valid
save_methodvalues should include "DELETE" -
DataSourceEntry.urlis required. Should be optional when usingsave_method="DELETE" - possibly change some wording, e.g.
save_methodanddst_pathdon't really make sense in the context of deleting data
Plus whatever is necessary internally to have the OPAL clients request deletion of the affected data in OPA. I'd be willing to open a PR if this change makes sense to you.
Thanks for opening this @maurice-freitag .
If you're willing to open a PR - that would be even more appreciated. 💪🙏
How about we keep 'save_method' as is for backward compatibly, and add something else (e.g. 'operation') that if included igonres save-method.
