Skip to main content

Overview

A Library is a mechanism that enables teams to share policies and policy fragments across the enterprise. The policies in the library can be written for any use case by any team. The organization of the DAS Library depend on the enterprise to agree upon. The policy library can be used by either DAS systems or DAS stacks.

This page describes the how to work with Libraries.

Manage the Library

Currently, the functionality to fully manage the Library (create, read, update, delete policies and data) is only available in the API. The documentation for Library management covers the basics needed for the GUI and API.

The GUI currently supports mounting the Git repository for the Library and viewing its policies and data as read-only. When you push changes to the Library in Git, the GUI will reflect those changes. Styra DAS supports either HTTPS or SSH authentication for Git. You can navigate to the Add library dialog and select the Git authentication mode HTTPS or SSH.

Styra recommends using the Library by mounting a Git directory of policies and data. This allows you to store all of your policies and data in Git, yet use them for all the systems and Stacks that you want within the DAS.

When using either the API or GUI to mount the Git repository for the Library, there are restrictions on the packages and directory structures within the Rego or JSON files that are mounted. For more information on these restrictions, see "Package and Directory Restrictions" section on Mounting Git Repositories page.

Alternatively, you can manage the Library through the DAS policies API. There are APIs for creating, updating, deleting, and viewing all of the rules and the data stored in the library. The Library provide you with nearly the same flexibility as the OPA policy management API, but there are some limitations listed in the Git-mount instructions.

Use the Library to Write Policies

Regardless, how you manage the Library, all of the policies and data are available for policy writing from the data.global namespace. You can use the Library with systems, stacks, and any other Rego in the DAS.

For example, if your library includes a helper function that turns a string representing a URL into an array. Then upload the following file into the library.

package global.url

split(url) := result {
s := trim(url, "/")
result := split(s, "/")
}

Now, use the following function within an Envoy system Ingress policy.

package policy["com.styra.envoy.ingress"].rules.rules

import data.dataset

default allow = false

# allow GET /dogs/...
allow {
input.attributes.request.http.method == "GET"
parsed_path := data.global.url.split(input.attributes.request.http.path)
parsed_path[0] == "dogs"
}

The data.global namespace has a global scope. It can be used in any policy within the DAS product.