Evaluating a Data Filter Policy

To understand how SQL WHERE clauses can be derived from a partially evaluated Rego policy, it's beneficial to have a basic idea about how partial evaluation (PE) works. This walk-through of a PE run starts with a basic filter policy:

filters.rego

# METADATA
# scope: package
# compile:
#   unknowns:
#     - input.users
#     - input.products
package filters

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

This walkthrough follows the policy in the same way the evaluator does, using the following input:

{
  "user": "dana",
  "budget": "low"
}

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

The first include rule is evaluated.

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

The expression input.users.name == user uses user, which is known, "dana". The LHS input.users.name is part of the unknowns (input.users), so the expression contributes to the conditions:

input.users.name == "dana"

Since input.user is known, it's been dereferenced.

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

The expression's LHS is known, "low", which is not different from "low". When all parts of an expression are known and it evaluates to false, this rule path is abandoned (regardless of any further expressions), and the set of conditions aggregated for this rule body is discarded.

Partial evaluation continues with the next rule body.

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

The second rule body is evaluated. A condition is again derived from the comparison with user, which is input.user, and known to be "dana":

input.users.name == "dana"

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

The expression input.budget == "low" has only known parts, input.budget, and "low", and is indeed true. It doesn't add any condition, and lets us continue evaluating this rule body.

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

The next expression, input.products.price < 500, involves a number literal and an unknown, and thus adds a condition:

input.users.name == "dana"
input.products.price < 500

There are no further expressions in this rule body, so the conditions are saved, and partial evaluation proceeds to the next rule body.

---

user := input.user

include if {
        input.users.name == user
        input.budget != "low"
}

include if {
        input.users.name == user
        input.budget == "low"
        input.products.price < 500
}

include if input.products.price == "free"

As with every new rule body, the set of conditions is reset.

This expression includes one unknown and one literal, so it adds a condition to the set:

input.products.price == "free"

There are no further expressions, so this condition also contributes to the PE result.

---

The partial evaluation of data.filters.include with the given (known) inputs is now complete. It has yielded two sets of conditions, A and B, which form the basis of translation into SQL queries.

A (Rego)

input.users.name == "dana"
input.products.price < 500

B (Rego)

input.products.price == "free"

---

When translating, each of the sets is translated into SQL expressions:

A (SQL)

users.name = "dana" AND products.price < 500

B (SQL)

products.price = "free"

---

Finally, the two are combined with OR:

A OR B

(users.name = "dana" AND products.price < 500) OR products.price = "free"

Next Steps

• To learn more about which Rego expressions can be used in filter policies, continue to Writing valid data filtering policies.
• Find all information about supported options and tweaks for translation in the Data Filters Compilation API reference.