Does OPAL provide a connector to fetch data from Hazelcast or any other similar cache.

Hello

Hi, is it possible to use git-remote-gcrypt or similar tools along with opal server to fetch policies from an encrypted git repo? I have tried with git remote gcrypt but it was not working. For context, git-remote-gcrypt is a remote helper for git which encrypts the repo before sending out a commit. For fetching it, a prefix "gcrypt::" needs to be added to the git url. When passing that url with the prefix to opal server, it is giving the error "cannot clone policy repo: The

gcrypt::

protocol looks suspicious, use

allow_unsafe_protocols=True

to allow it." which seems to come from the repo.clone_from() function in the git python package used in the project (link to the line). Are there any plans to add compatibility to such tools in opal? Thanks!

Hi, is there any other alternative way to get policy into OPA other than through git repo and the bundle api? OPA has support for OCI images pulled from supported registries (link to docs) . Policies can be built into OCI compatible images using this tool. For now I am using OPAL_INLINE_OPA_CONFIG to set the config of the inline OPA instance to fetch from an OCI repository. Doing this, I am bypassing the OPAL server and client. So I was curious if there are any other ways.

I'm getting tarsafeexception when using opa build to build the tar gzip

opal_common.security.tarsafe.TarSafeException: Attempted directory traversal for member: /data.json

Hey folks, is there any plan to support OCI registries as a policy source similar to what have been done on OPA side?

How is the data in the OPA cache kept fresh? We have a database with the policy parameters for evaluating a policy. We want to have multiple OPAL clients for a multi tenant setup. Data is pulled with the postgres fetch provider from a postgres database. If the policy parameters are modified, that data should be reflected in the OPA cache. How can this be done? There is the option of periodic polling but there would be a delay in updating the cache and the queries are ran frequently even in case of no updates. Updates can be triggered on OPAL server or client but then additional logic should be there to determine which OPAL clients should be triggered for an update. There is the PATCH save method but it is critical to ensure parity with data in the database. How is this supposed to be handled in OPAL? Is there any methods/tools used for this? How is it handled by you guys? Sorry for the long query 😅 Thanks in advance!

Hey opal 👋 I have a question relating to the OPA healthcheck policy (namely the

/ready

endpoint) - we are currently using this endpoint in our system. We load in data from 6 different sources - some of which return heavy responses and can take a while to complete. We dont want our containers to register as ‘ready’ until all 6 sources have been successfully fetched and stored in OPA. Our issue seems to come with the or statement captured in the screenshot from the docs (attached). It seems that the current

/ready

behaviour means regardless of the initial data sources load, as long as there is a successful data-update the system will register as ‘ready’. The docs indicate this behaviour is going to change in upcoming versions… Do you have any plans in place for this / when might we expect this update to happen? Thanks! permit

Hi opal, I can see that the documentation mentions the Broadcaster component is in alpha. Could you please confirm if that’s still the case? We’re planning to use it in our production applications. https://github.com/encode/broadcaster

hey guys, we are using opal, and we have a use case in which we have alot of data that needs to be imported to opal, and it maybe too heavy for us, is there an option to manage deltas? or if not, the idea i though about is if there is an option to make an http request from my rego code, and save it to the bundled data, with an expire date.

Any updates onto when opal will have opa v1?

Hey, I looked into the helm charts for opal, looks like there are options for the server and client to have replicas but the same is not there for the pgsql broadcast channel. as the broadcast channel is critical for updates, I was able to setup replicas with rr balancing in the docker compose file. I was wondering if there is any way to have replicas for it in the helm charts

Hello Everyone. A question which might be obvious, yet I don t see it 🙂. How can I check from permit.io UI the updates I send to OPA server?

Hello. I am trying to add an external data source, in which I store the attributes for the policies defined at the moment in permit.io ui. I run the permit pdp in a local docker container. The pdp will connect to the permit cloud for the configurations. The cloud becomes them the authority. I have another app in the same network that reads from the external data source. adding OPAL_CLIENT_DATA_SOURCES_CONFIG_SOURCES_0_URL and other attributes in the docker.yml is not effective, the variables will be ignored and pdp will only red from the cloud. Is it possible a configuration for my local pdp to read from my endpoint, and still be connected to cloud?

Is there a way, or path with the OPAL API, to tell Permit.io's cloud that the pdp should poll new configurations from an external data source? And this can work along fetching it on boot or polling interval.

Hello again 🙂. If I may, I have another question. My opal scope configuration is the following:

"config": {
          "method": "get",
          "headers": {
            "Accept": "application/json"
          },
          "fetch_on_boot": true,
          "polling_interval_sec": 60
        },
        "topics": [

Still, the polling interval is not working, it will only fetch on boot. Am I missing something?

Hello. I have the following case. I want to be able to sync my users with permit.io cloud, so they are known for the permit.check, but I want to do it without any attributes. Attributes are stored in an external data source and fed to the local pdp OPA instance. If I define an ABAC policy in permit.io UI which checks for the attributes I have, it will fail. This is because I presume policies defined in permit.io cloud are not checking my attributes path, after the pdp syncs with the cloud. Is there a way around that, or if I am to follow this path I have to build a custom policy that will take into consideration my attributes and push it to permit.io cloud?

Running latest opal version (0.8.0) and started getting intermittent "`Failed to notify subscriber` errors (with stack trace) when the opal-server was trying to update the opal-client (which was to trigger the opal-client to pull data from external source). A restart of the opal-server seems to have fixed the issue for the time being. Also didn't this error while running previous version (0.7.16). Nothing about our architecture has changed except the opal version. Any ideas on what condition(s) could cause this?

Whenever I sync my repo via S3, my dynamic data goes missing. None of the data paths overlap, does it overwrite What could be happening

hi, i wonder which version fixed this issue https://github.com/permitio/opal/issues/360 i am using opal 0.7.6/0.7.16 and bitbucket 8.19.11, and still face

400

and

{"detail": "repo url or full name not found in payload!"}

error. how could i do that, thanks a lot!

opal-client 0.7.16 raise error like

ModuleNotFoundError: No module named 'opal_common.monitoring.tracing_utils'

, what should i do to fix

i wonder to know the aim and cases for enabling this feature https://github.com/permitio/opal/pull/657 does it mean we should let opa to take over the tls instead of using a nginx / ingress. great thanks!

set the channel topic: Questions about the OSS project OPAL.ac

Hi team, I'm new to OPAL and trying to get a simple setup running using Docker Compose to load some external data into OPA. My goal is just to fetch a static JSON file from a public URL (like jsonbin.io) and load it into my OPA agent's data tree, so my policies can use it. I'm using the standard Docker Compose setup for OPAL. I tried configuring the

OPAL_DATA_CONFIG_SOURCES

environment variable like this in my `docker-compose.yml`:

OPAL_DATA_CONFIG_SOURCES={"external_source_url":"<https://api.jsonbin.io/v3/b/685ce5fd8960c979a5b1a42b?meta=false>"}

But when I check the logs, I see a warning:

"Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!"

, and the data doesn't seem to be loaded at the path I expect (e.g.,

v1/data/rbac

is empty when I curl it). I'm a bit confused about the different ways to configure data sources. For just fetching a simple, static JSON file from a URL like this, am I using the right approach with

external_source_url

? Or is there a simpler or different configuration format I should be using for this basic case? Any pointers or examples for loading a simple JSON file from a URL into OPA via OPAL would be super helpful for a beginner! Thanks a lot!

Hey Folks, I'm currently exploring a small POC with OPAL and Cedar Am i correct in saying.. that right now... OPAL does not push policy updates to the cedar agent? I have this currently working with OPAL and the OPA Agent.. and expected the same behavior to work with the cedar integration. I'm hoping that its simply a problem with my local setup but would like confirmation if possible?

How can I make opa save the data that I get from an api as a persistent storage in an empty for volume as my data is 10gb of json

Hey Folks, I should have posted here but i went ahead and logged this in the mean time. https://github.com/permitio/opal/issues/804 I assumed this was working and based my work on it.. but the listed compose file is not working for me. Can anyone link me to a simple OPAL + Cedar compose / integration i can check out and review locally?

Hello, does opal support reactive web servers for retrieving data? I have an API that returns a list of "widgets" but it's a big dataset and it takes some time. Rather than get timeouts, I'm curious if opal can support a reactive endpoint that would begin providing widgets immediately rather than the whole collection at once

Is there any solution or workaround for the following scenario? When an opal client restarts, it creates a fresh connection with the OPAL server, but the OPAL server somehow still has the connection with the older client as well, hence creating a ghost client.

hi team, is there any correlation between the number of connections a OPAL server can handle vs the resources allocated for the server? I am seeing connection disconnects between the server and some clients recently very randomly during new deployments of clients Edit: we don’t use a backbone as we only have around 10 clients, and hence have a single service instance The number of clients didn’t increase, but i am seeing this issue only recently after the server has been re deployed after a long time onto a new node on k8s We have set

uvicornWorkers: 1

as we don’t have a backbone setup