Skip to main content

Rego Built-in Function: regex.globs_match

regex.globs_match() is a less commonly used built-in function that checks if two patterns overlap. This can be useful when using patterns to define permissions or access control rules. The function returns true if the two patterns overlap and false otherwise.

Examples

Pattern based access

This example demonstrates using regex.globs_match in Rego to ensure actions are allowed only if the user's permissions overlap with the required permissions for the action. The user's permissions are defined by patterns, as are the permissions required by any given action.

policy.rego
package play

import rego.v1

user_roles := data.user_roles[input.user_id]

action_requirements := data.action_requirements[input.action]

permission_patterns contains pattern if {
some role in user_roles
some pattern in data.role_permissions[role]
}

default allow := false

allow if {
every requirement in action_requirements {
some pattern in permission_patterns
regex.globs_match(pattern, requirement)
}
}
input.json
{
"user_id": "c2655539-8422-476d-9430-a26a4efa51b2",
"action": "tenant.create",
"props": {
"name": "my-new-tenant"
}
}
data.json
{
"user_roles": {
"c2655539-8422-476d-9430-a26a4efa51b2": [
"developer"
]
},
"role_permissions": {
"developer": [
"dns.*",
"compute.*"
]
},
"action_requirements": {
"tenant.create": [
"dns.records.create",
"compute.containers.create",
"compute.containers.scale.*"
]
}
}

Open in OPA Playground

RuleOutput ValueNotes
allowtrueThe has user broad access and the permissions needed for the action overlap.