https://linen.dev logo
Join Slack
Powered by
# opal
  • s

    Slackbot

    03/31/2025, 2:26 PM
    This message was deleted.
    a
    • 2
    • 3
  • s

    Slackbot

    03/31/2025, 2:26 PM
    This message was deleted.
    a
    • 2
    • 3
  • t

    Thomas Sidebottom

    04/01/2025, 3:09 PM
    Good morning (maybe). I need to pick the brain of someone about some vulnerabilities that were detected for OPAL Server version 0.7.16 by Twistlock. I have gone through the vulnerabilities and believe I have found the reasons for why the vulnerable package versions are used. I just need someone from Permit to sanity check my reasoning (and correct anything that isn't above board).
    a
    t
    o
    • 4
    • 11
  • m

    Martin Dulák

    04/10/2025, 6:30 AM
    Hello permit, I'd like to modify how PDP (and OPAL) logs messages. Specifically, I need the messages to be in JSON format for GCP Logging to process them correctly. I have set
    OPAL_LOG_SERIALIZE
    to
    true
    which turned on the JSON format but it's not in the format I need it to be. GCP requires for
    severity
    to be a top level field, named like that, whereas OPAL includes it as
    record.level.name
    . Please, is there any way how to change the format of the log messages? I have found
    LOG_FORMAT
    property, but no description on how to configure it: https://docs.opal.ac/getting-started/configuration Thank you in advance! 🙂
    👀 1
    a
    r
    • 3
    • 16
  • l

    Liudvikas Paukštė

    04/10/2025, 6:14 PM
    Question about OPAL server scaling. Uvicorn workers vs separate instances? What are the pros and cons of each?
    a
    p
    +2
    • 5
    • 15
  • v

    vijay

    04/14/2025, 11:09 AM
    Hello, I am trying to use envoy filter with opal client. I want use the Inline OPA. This is what I did. Modified the Opla-client image to use OPA-envoy image. Now for the inline OPA config, I am using the below config file. apiVersion: v1 Kind: configmap data: config.yaml : | plugins: envoy_ext_authz_grpc: addr : 9191 path: istio/authz/allow In client delpoyment, volume mounted the configmap and used OPAL_INLINE_OPA_CONFIG: {config_file:"/opal/config/config.yaml"} The GRPC is not getting registered. Is this something any one has tried and is achievable or using standalone opal-clinet and opa as a separate service the only option? I want to run opal-client as side car. want to avoid adding another OPA sidecar.
    a
    o
    • 3
    • 6
  • b

    BIplab

    04/18/2025, 5:58 AM
    Does OPAL provide a connector to fetch data from Hazelcast or any other similar cache.
    a
    o
    • 3
    • 4
  • r

    Rupesh Shanmugalingam

    04/19/2025, 6:37 PM
    Hello
    👋 1
    permit 1
    a
    • 2
    • 1
  • s

    Soumith

    04/29/2025, 11:53 AM
    Hi, is it possible to use git-remote-gcrypt or similar tools along with opal server to fetch policies from an encrypted git repo? I have tried with git remote gcrypt but it was not working. For context, git-remote-gcrypt is a remote helper for git which encrypts the repo before sending out a commit. For fetching it, a prefix "gcrypt::" needs to be added to the git url. When passing that url with the prefix to opal server, it is giving the error "cannot clone policy repo: The
    gcrypt::
    protocol looks suspicious, use
    allow_unsafe_protocols=True
    to allow it." which seems to come from the repo.clone_from() function in the git python package used in the project (link to the line). Are there any plans to add compatibility to such tools in opal? Thanks!
    a
    o
    • 3
    • 5
  • s

    Soumith

    05/05/2025, 12:22 PM
    Hi, is there any other alternative way to get policy into OPA other than through git repo and the bundle api? OPA has support for OCI images pulled from supported registries (link to docs) . Policies can be built into OCI compatible images using this tool. For now I am using OPAL_INLINE_OPA_CONFIG to set the config of the inline OPA instance to fetch from an OCI repository. Doing this, I am bypassing the OPAL server and client. So I was curious if there are any other ways.
    a
    o
    • 3
    • 4
  • h

    Harshit Parikh

    05/06/2025, 12:27 PM
    I'm getting tarsafeexception when using opa build to build the tar gzip
    opal_common.security.tarsafe.TarSafeException: Attempted directory traversal for member: /data.json
    a
    g
    • 3
    • 25
  • a

    Adel Ati

    05/07/2025, 1:50 PM
    Hey folks, is there any plan to support OCI registries as a policy source similar to what have been done on OPA side?
    ✅ 1
    a
    g
    o
    • 4
    • 9
  • s

    Soumith

    05/20/2025, 4:36 PM
    How is the data in the OPA cache kept fresh? We have a database with the policy parameters for evaluating a policy. We want to have multiple OPAL clients for a multi tenant setup. Data is pulled with the postgres fetch provider from a postgres database. If the policy parameters are modified, that data should be reflected in the OPA cache. How can this be done? There is the option of periodic polling but there would be a delay in updating the cache and the queries are ran frequently even in case of no updates. Updates can be triggered on OPAL server or client but then additional logic should be there to determine which OPAL clients should be triggered for an update. There is the PATCH save method but it is critical to ensure parity with data in the database. How is this supposed to be handled in OPAL? Is there any methods/tools used for this? How is it handled by you guys? Sorry for the long query 😅 Thanks in advance!
    a
    o
    • 3
    • 4
  • c

    Charlotte Brady

    05/27/2025, 10:37 AM
    Hey opal 👋 I have a question relating to the OPA healthcheck policy (namely the
    /ready
    endpoint) - we are currently using this endpoint in our system. We load in data from 6 different sources - some of which return heavy responses and can take a while to complete. We dont want our containers to register as ‘ready’ until all 6 sources have been successfully fetched and stored in OPA. Our issue seems to come with the or statement captured in the screenshot from the docs (attached). It seems that the current
    /ready
    behaviour means regardless of the initial data sources load, as long as there is a successful data-update the system will register as ‘ready’. The docs indicate this behaviour is going to change in upcoming versions… Do you have any plans in place for this / when might we expect this update to happen? Thanks! permit
    a
    m
    d
    • 4
    • 7
  • s

    Sumesh Sukumaran

    06/06/2025, 4:06 AM
    Hi opal, I can see that the documentation mentions the Broadcaster component is in alpha. Could you please confirm if that’s still the case? We’re planning to use it in our production applications. https://github.com/encode/broadcaster
    a
    p
    o
    • 4
    • 6
  • a

    Alonahmias

    06/08/2025, 8:27 AM
    hey guys, we are using opal, and we have a use case in which we have alot of data that needs to be imported to opal, and it maybe too heavy for us, is there an option to manage deltas? or if not, the idea i though about is if there is an option to make an http request from my rego code, and save it to the bundled data, with an expire date.
    a
    d
    • 3
    • 7
  • a

    Alonahmias

    06/10/2025, 3:07 PM
    Any updates onto when opal will have opa v1?
    a
    • 2
    • 4
  • s

    Soumith

    06/11/2025, 12:51 PM
    Hey, I looked into the helm charts for opal, looks like there are options for the server and client to have replicas but the same is not there for the pgsql broadcast channel. as the broadcast channel is critical for updates, I was able to setup replicas with rr balancing in the docker compose file. I was wondering if there is any way to have replicas for it in the helm charts
    a
    g
    r
    • 4
    • 7
  • s

    Savin Cristi

    06/11/2025, 1:21 PM
    Hello Everyone. A question which might be obvious, yet I don t see it 🙂. How can I check from permit.io UI the updates I send to OPA server?
    a
    g
    o
    • 4
    • 8
  • s

    Savin Cristi

    06/11/2025, 9:03 PM
    Hello. I am trying to add an external data source, in which I store the attributes for the policies defined at the moment in permit.io ui. I run the permit pdp in a local docker container. The pdp will connect to the permit cloud for the configurations. The cloud becomes them the authority. I have another app in the same network that reads from the external data source. adding OPAL_CLIENT_DATA_SOURCES_CONFIG_SOURCES_0_URL and other attributes in the docker.yml is not effective, the variables will be ignored and pdp will only red from the cloud. Is it possible a configuration for my local pdp to read from my endpoint, and still be connected to cloud?
    a
    p
    o
    • 4
    • 11
  • s

    Savin Cristi

    06/11/2025, 10:50 PM
    Is there a way, or path with the OPAL API, to tell Permit.io's cloud that the pdp should poll new configurations from an external data source? And this can work along fetching it on boot or polling interval.
    a
    p
    • 3
    • 4
  • s

    Savin Cristi

    06/12/2025, 8:57 PM
    Hello again 🙂. If I may, I have another question. My opal scope configuration is the following:
    Copy code
    "config": {
              "method": "get",
              "headers": {
                "Accept": "application/json"
              },
              "fetch_on_boot": true,
              "polling_interval_sec": 60
            },
            "topics": [
    Still, the polling interval is not working, it will only fetch on boot. Am I missing something?
    p
    a
    • 3
    • 5
  • s

    Savin Cristi

    06/17/2025, 8:00 AM
    Hello. I have the following case. I want to be able to sync my users with permit.io cloud, so they are known for the permit.check, but I want to do it without any attributes. Attributes are stored in an external data source and fed to the local pdp OPA instance. If I define an ABAC policy in permit.io UI which checks for the attributes I have, it will fail. This is because I presume policies defined in permit.io cloud are not checking my attributes path, after the pdp syncs with the cloud. Is there a way around that, or if I am to follow this path I have to build a custom policy that will take into consideration my attributes and push it to permit.io cloud?
    a
    o
    • 3
    • 5
  • k

    KSM

    06/17/2025, 5:36 PM
    Running latest opal version (0.8.0) and started getting intermittent "`Failed to notify subscriber` errors (with stack trace) when the opal-server was trying to update the opal-client (which was to trigger the opal-client to pull data from external source). A restart of the opal-server seems to have fixed the issue for the time being. Also didn't this error while running previous version (0.7.16). Nothing about our architecture has changed except the opal version. Any ideas on what condition(s) could cause this?
    a
    o
    p
    • 4
    • 27
  • h

    Harshit Parikh

    06/18/2025, 9:41 AM
    Whenever I sync my repo via S3, my dynamic data goes missing. None of the data paths overlap, does it overwrite What could be happening
    a
    r
    p
    • 4
    • 19
  • d

    Dai Zhang

    06/23/2025, 5:22 PM
    hi, i wonder which version fixed this issue https://github.com/permitio/opal/issues/360 i am using opal 0.7.6/0.7.16 and bitbucket 8.19.11, and still face
    400
    and
    {"detail": "repo url or full name not found in payload!"}
    error. how could i do that, thanks a lot!
    a
    o
    +2
    • 5
    • 23
  • d

    Dai Zhang

    06/24/2025, 3:34 AM
    opal-client 0.7.16 raise error like
    ModuleNotFoundError: No module named 'opal_common.monitoring.tracing_utils'
    , what should i do to fix
    a
    p
    o
    • 4
    • 6
  • d

    Dai Zhang

    06/24/2025, 3:37 AM
    i wonder to know the aim and cases for enabling this feature https://github.com/permitio/opal/pull/657 does it mean we should let opa to take over the tls instead of using a nginx / ingress. great thanks!
    a
    p
    +2
    • 5
    • 15
  • o

    Or Weis

    06/25/2025, 12:55 PM
    set the channel topic: Questions about the OSS project OPAL.ac
  • k

    Krishna Prasad A

    06/26/2025, 10:53 AM
    Hi team, I'm new to OPAL and trying to get a simple setup running using Docker Compose to load some external data into OPA. My goal is just to fetch a static JSON file from a public URL (like jsonbin.io) and load it into my OPA agent's data tree, so my policies can use it. I'm using the standard Docker Compose setup for OPAL. I tried configuring the
    OPAL_DATA_CONFIG_SOURCES
    environment variable like this in my `docker-compose.yml`:
    Copy code
    OPAL_DATA_CONFIG_SOURCES={"external_source_url":"<https://api.jsonbin.io/v3/b/685ce5fd8960c979a5b1a42b?meta=false>"}
    But when I check the logs, I see a warning:
    "Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!"
    , and the data doesn't seem to be loaded at the path I expect (e.g.,
    v1/data/rbac
    is empty when I curl it). I'm a bit confused about the different ways to configure data sources. For just fetching a simple, static JSON file from a URL like this, am I using the right approach with
    external_source_url
    ? Or is there a simpler or different configuration format I should be using for this basic case? Any pointers or examples for loading a simple JSON file from a URL into OPA via OPAL would be super helpful for a beginner! Thanks a lot!
    a
    o
    • 3
    • 5