Using Rego to write policies
Rego is a language specifically designed for policy writing. It is different from most languages you have likely written code in. Typical authorization code will look something like the following:
//assume failure
boolean allowed = false;
//on certain conditions allow access
if (someCondition) {
allowed = true;
}
//are we authorized?
if (allowed) {
doSomething();
}
Authorization code will generally default to unauthorized, with a specific condition having to happen in order to allow the final action to be authorized. Rego takes a different approach. Rego is generally written to authorize everything unless a specific set of conditions happens.
Another major difference between Rego and more general programming languages is that there are no explicit if
/then
/else
control statements. When a line of Rego is going to make a decision, the code is interpreted as "if this line is false, stop execution." For instance, the following code...