Skip to main content

Managing a Library

The Styra DAS UI supports full Library management (create, read, update, and delete policies and data), including unit testing, impact analysis using log replay, and dependency tracking. Library policies and data are accessible across all Systems, Stacks, and other Libraries.

Using a Library to Manage Policies

Libraries can be used to write policies. All policies and data are available for policy writing from the data.libraries namespace. You can use your Library with Systems, Stacks, and other Rego policies in Styra DAS.

For example, your library can include a helper function that turns a string representing a URL into an array, add a new policy url.rego to your my_lib library:

package libraries.my_lib

split_url(url) := result {
   s := trim(url, "/")
   result := split(s, "/")
}

The following function could then be used within an Envoy System Ingress policy.

package policy["com.styra.envoy.ingress"].rules.rules

import data.dataset

default allow = false

# allow GET /dogs/...
allow {
   input.attributes.request.http.method == "GET"
   parsed_path := data.libraries.my_lib.split_url(input.attributes.request.http.path)
   parsed_path[0] == "dogs"
}

The data.libraries namespace has a global scope. It can be used in any Policy within Styra DAS.

Using a Library to Define Data

You can also use Data Sources defined in a Library with Systems, Stacks, and other Rego policies in Styra DAS. For example, if your Library includes a JSON Data Source that is defined at actions/methods.json to your my_lib library:

{
   "read": "GET",
   "update": "POST"
}

The following function could then be used within an Envoy System Ingress policy.

package policy["com.styra.envoy.ingress"].rules.rules

import data.libraries.my_lib.actions

default allow = false

# allow GET /dogs/...
allow {
  input.attributes.request.http.method == actions["methods.json"].read
}

Validate a Library Policy

As with Systems and Stacks, you can also review broader potential impact of a Library policy change before you publish changes. Click Validate while viewing a Library policy to run tests and replay past decisions to see how outcomes across Systems which import the Library might be affected by Library policy changes.

note

For DAS to include a System's decisions during Library Log Replay, a Library user requires at minimum read access to each System which imports the Library.

Library Dependency Tracking

Styra DAS tracks the import of a Library at the System bundle level to provide visibility into the usage of a Library. At the Library level, the LibrariesGet API returns the used_by field, detailing the Systems and bundles using the Library. At the System bundle level, the GetSystemBundles API returns the dependencies field, which lists the Library dependencies for that bundle.