https://www.ory.sh/ logo
Join Slack
Powered by
With regards this error; `Expected exactly one rul...
# talk-oathkeeper
t
With regards this error; 
Expected exactly one rule but found multiple rules
Are there any ways to allow a URL in two rules (and maybe define some form of priority)? As an example;
Copy code
# Default Deny all
...
    "match": {
      "url": "<.*>",
      "methods": ["GET"]
    },
    "authenticators": [
      {
        "handler": "anonymous"
      }
    ],
    "authorizer": {
      "handler": "deny"
    },
...
and then the 2nd rule
Copy code
"match": {
      "url": "<http://foo/bar>",
      "methods": ["GET"]
    },
    "authenticators": [
      {
        "handler": "anonymous"
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
Because of the above, the URL 
<http://foo/bar>
matches both rules, resulting in the error. We're using Istio with Oauthkeeper, and filter all requests via EnvoyFilter. Because of this we encounter 
Requested url does not match any rules
if we don't have a rule for that URL, and I'm trying to avoid having to create rules for every single endpoint for a service, or having to explicitly filter each endpoint on Envoy
d
Hello. Unfortunately there’s no way to have more than 1 rule for URL
t
Thanks Andrew! We'll work something out
Off the back of this @User Is it possible to have a global catch all rule at all to avoid the 
Requested url does not match any rules
error? Alternatively, is there a way to customise that error to something more end user friendly?
d
🙌 1
I think that to have a default rule for any unmatched routes would be a great feature request for oathkeeper. You can check Lessons learned &amp; ORY Oathkeeper NextGen issue for better understanding of future releases Feel free to open issue or add a comment about possible solution for your case
t
Thanks, that's really useful! I'll follow up with a feature request, something we discussed internally was a behaviour similar to AlertManager rules, with a 
continue:
label. When a rule is matched, if 
continue: true
it'll continue to evaluate the other rules to see if there is another match later down the chain. This probably wouldn't work in reality with oathkeeper as it'll need to have an awareness of rule ordering to work properly.
7 Views
Open in Slack
PreviousNext
Powered by