redis: Interacting with a Redis database | Enterprise OPA
The redis built-in function allow you to interact with a Redis database.
Check out our tutorial on querying Redis.
redis.query
The redis.query function allows you to make a query against a Redis database.
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
addr | String | Yes | Address to connect to Redis at. | |
db | Int | No | 0 | Redis database to use. |
auth | Object | No | See Auth | |
cache | Bool | No | false | Cache the results of queries. |
cache_duration | Integer | No | 60 | Duration (in seconds) to keep cached query results. |
raise_error | Bool | No | true | See Errors. |
command | String | Yes | Redis command to execute. This field is case-insensitive. | |
args | Array | Yes | Arguments to pass to the Redis command. |
Note that only the following Redis commands are supported. Using a Redis command not in the list below as the value for the command field will cause Enterprise OPA to exit with an error.
- get
- getrange
- hexists
- hget
- hgetall
- hkeys
- hlen
- hmget
- hrandfield
- lindex
- llen
- lpos
- lrange
- mget
- scard
- sdiff
- sinter
- sintercard
- sismember
- smembers
- smismember
- srandmember
- strlen
- sunion
Example usage
redis.query({
"addr": "localhost:6379",
"auth": {
"password": "letmein1!",
},
"command": "get",
"args": ["some string key"]
}) # => { "results": "<value associated with 'some string key'>" }
Auth
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
auth.username | String | No | (empty string) | Stores the username to connect to the Redis server with. |
auth.password | String | No | (empty string) | Stores the password of the Redis server to connect to. If the database does not require a password, an empty string should may be used, or the field may be omitted entirely. |
Errors
By default—and if raise_error is true—then an error returned will halt policy evaluation.
If raise_error is false, then the response object contains the error in an error key instead of its usual response.
{
"error": ...
}
Utility helpers
Enterprise OPA comes with a helper method for using this builtin together with
vault.send: redis.query.
This method is available in Enterprise OPA at data.system.eopa.utils.redis.v1.vault.
package example
import data.system.eopa.utils.redis.v1.vault as redis
example_1 := redis.query({"addr": " ... ", "command": " ... ", "args": [ ... ]})
# => {"results": [ ... ]}
The utility method will lookup connection data from a map it expects to find in
Vault, under the path secret/redis:
{
"username": "...",
"password": "...",
}
See Auth for more information.
To override the secret path within Vault, use:
package example
import data.system.eopa.utils.redis.v1.vault as redis
redis_query(req) := result {
result := redis.query(req)
with redis.override.secret_path as "secret/prod/eopa-redis"
example_2 := redis_query({"addr": " ... ", "command": " ... ", "args": [ ... ]})
) # => {"results": ... }
If you need to override the Vault address or token, you can use this:
package example
import data.system.eopa.utils.vault.v1.env as vault
import data.system.eopa.utils.redis.v1.vault as redis
redis_query(req) := result {
result := redis.query(req)
with redis.override.secret_path as "secret/prod/eopa-redis"
with vault.override.address as "localhost"
with vault.override.token as "dev-token-2"
}
example_3 := redis_query({"addr": " ... ", "command": " ... ", "args": [ ... ]})
) # => {"results": [ ... ]}