-
Notifications
You must be signed in to change notification settings - Fork 139
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prototype: Use Weaver to enforce semantic convention policies #1014
base: main
Are you sure you want to change the base?
Conversation
@@ -0,0 +1,37 @@ | |||
package otel | |||
|
|||
# A registry `attribute_group` containing at least one `ref` attribute is |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not blocking: would it be possible to link some docs on the policy syntax and the properties available on group/attribute/etc?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@lmolkova, you will find some documentation I wrote on this topic here https://github.com/open-telemetry/weaver/tree/main/crates/weaver_checker
The definition of the attributes for the violation entity is defined here https://github.com/open-telemetry/weaver/blob/main/crates/weaver_checker/src/violation.rs
In general, the policy file is based on the Rego language and its documentation is available here https://www.openpolicyagent.org/docs/latest/policy-language/
# considered invalid if it's not in the registry group. | ||
deny[attr_registry_violation("registry_with_ref_attr", group.id, attr.ref)] { | ||
group := input.groups[_] | ||
startswith(group.id, "registry.") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
non-blocking, just some thoughts for the future:
I hope we will invent a more formal way to define a registry.
E.g.
- now someone can add
registry.foo.bar
in any place in the repo. - or we'll add metrics registry and will need a different prefix.
- the attribute definition in the registry won't even have
ref
from the schema perspective - etc
cdd6a8e
to
16da3d8
Compare
This is a prototype of using Weaver to enforce semantic convention policies via the experimental Open-Policy-Agent support.
This defines three policies:
nonregistry_with_id_attr
: We only allow new attribute definitions inside the attribute registry, all other attributes must beref
.registry_must_be_attribute_group
: All groups in attribute registry MUST be typeattribute_group
.registry_with_ref_attr
: Attribute registry is not allowed to containref
- An attribute can only belong to one group.Example output on today's repository:
Each of these current violations are something we should fix.
Changes
check-policies
command to the makefile which can check weaver policiespolicies/before_resolution/
folder for policies we can enforce on raw YAML model.Merge requirement checklist
[chore]