Using Rego to write policies
Rego is a language specifically designed for policy writing. It is different to most languages you have likely written code in. Typical authorization code will look something like the following:
//assume failure boolean allowed = false; //on certain conditions allow access if (someCondition) { Â Â allowed = true; } //are we authorized? if (allowed) { Â Â doSomething(); }
Authorization code will generally default to unauthorized, with a specific condition having to happen in order to allow the final action to be authorized. Rego takes a different approach. Rego is generally written to authorize everything unless a specific set of conditions happens.
Another major difference between Rego and more general programming languages is that there are no explicit "if
/then
/else
" control statements. When a line of Rego is going to make a decision, the code is interpreted as "if this line is false, stop execution." For instance...