Hello. I am trying to add an external data source, in which I store the attributes for the policies defined at the moment in permit.io ui. I run the permit pdp in a local docker container. The pdp will connect to the permit cloud for the configurations. The cloud becomes them the authority. I have another app in the same network that reads from the external data source. adding OPAL_CLIENT_DATA_SOURCES_CONFIG_SOURCES_0_URL and other attributes in the docker.yml is not effective, the variables will be ignored and pdp will only red from the cloud. Is it possible a configuration for my local pdp to read from my endpoint, and still be connected to cloud?

Is there a way, or path with the OPAL API, to tell Permit.io's cloud that the pdp should poll new configurations from an external data source? And this can work along fetching it on boot or polling interval.

Hello again 🙂. If I may, I have another question. My opal scope configuration is the following:

"config": {
          "method": "get",
          "headers": {
            "Accept": "application/json"
          },
          "fetch_on_boot": true,
          "polling_interval_sec": 60
        },
        "topics": [

Still, the polling interval is not working, it will only fetch on boot. Am I missing something?

Hello. I have the following case. I want to be able to sync my users with permit.io cloud, so they are known for the permit.check, but I want to do it without any attributes. Attributes are stored in an external data source and fed to the local pdp OPA instance. If I define an ABAC policy in permit.io UI which checks for the attributes I have, it will fail. This is because I presume policies defined in permit.io cloud are not checking my attributes path, after the pdp syncs with the cloud. Is there a way around that, or if I am to follow this path I have to build a custom policy that will take into consideration my attributes and push it to permit.io cloud?

Running latest opal version (0.8.0) and started getting intermittent "`Failed to notify subscriber` errors (with stack trace) when the opal-server was trying to update the opal-client (which was to trigger the opal-client to pull data from external source). A restart of the opal-server seems to have fixed the issue for the time being. Also didn't this error while running previous version (0.7.16). Nothing about our architecture has changed except the opal version. Any ideas on what condition(s) could cause this?

Whenever I sync my repo via S3, my dynamic data goes missing. None of the data paths overlap, does it overwrite What could be happening

hi, i wonder which version fixed this issue https://github.com/permitio/opal/issues/360 i am using opal 0.7.6/0.7.16 and bitbucket 8.19.11, and still face

400

and

{"detail": "repo url or full name not found in payload!"}

error. how could i do that, thanks a lot!

opal-client 0.7.16 raise error like

ModuleNotFoundError: No module named 'opal_common.monitoring.tracing_utils'

, what should i do to fix

i wonder to know the aim and cases for enabling this feature https://github.com/permitio/opal/pull/657 does it mean we should let opa to take over the tls instead of using a nginx / ingress. great thanks!

set the channel topic: Questions about the OSS project OPAL.ac

Hi team, I'm new to OPAL and trying to get a simple setup running using Docker Compose to load some external data into OPA. My goal is just to fetch a static JSON file from a public URL (like jsonbin.io) and load it into my OPA agent's data tree, so my policies can use it. I'm using the standard Docker Compose setup for OPAL. I tried configuring the

OPAL_DATA_CONFIG_SOURCES

environment variable like this in my `docker-compose.yml`:

OPAL_DATA_CONFIG_SOURCES={"external_source_url":"<https://api.jsonbin.io/v3/b/685ce5fd8960c979a5b1a42b?meta=false>"}

But when I check the logs, I see a warning:

"Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!"

, and the data doesn't seem to be loaded at the path I expect (e.g.,

v1/data/rbac

is empty when I curl it). I'm a bit confused about the different ways to configure data sources. For just fetching a simple, static JSON file from a URL like this, am I using the right approach with

external_source_url

? Or is there a simpler or different configuration format I should be using for this basic case? Any pointers or examples for loading a simple JSON file from a URL into OPA via OPAL would be super helpful for a beginner! Thanks a lot!

Hey Folks, I'm currently exploring a small POC with OPAL and Cedar Am i correct in saying.. that right now... OPAL does not push policy updates to the cedar agent? I have this currently working with OPAL and the OPA Agent.. and expected the same behavior to work with the cedar integration. I'm hoping that its simply a problem with my local setup but would like confirmation if possible?

How can I make opa save the data that I get from an api as a persistent storage in an empty for volume as my data is 10gb of json

Hey Folks, I should have posted here but i went ahead and logged this in the mean time. https://github.com/permitio/opal/issues/804 I assumed this was working and based my work on it.. but the listed compose file is not working for me. Can anyone link me to a simple OPAL + Cedar compose / integration i can check out and review locally?

Hello, does opal support reactive web servers for retrieving data? I have an API that returns a list of "widgets" but it's a big dataset and it takes some time. Rather than get timeouts, I'm curious if opal can support a reactive endpoint that would begin providing widgets immediately rather than the whole collection at once

Is there any solution or workaround for the following scenario? When an opal client restarts, it creates a fresh connection with the OPAL server, but the OPAL server somehow still has the connection with the older client as well, hence creating a ghost client.

hi team, is there any correlation between the number of connections a OPAL server can handle vs the resources allocated for the server? I am seeing connection disconnects between the server and some clients recently very randomly during new deployments of clients Edit: we don’t use a backbone as we only have around 10 clients, and hence have a single service instance The number of clients didn’t increase, but i am seeing this issue only recently after the server has been re deployed after a long time onto a new node on k8s We have set

uvicornWorkers: 1

as we don’t have a backbone setup

Good morning, anyone got any luck with setting up OPAL server with git ssh with a key that has a passphrase?

@William Afonso has left the channel

My OPA update failed, the diff had two files. File A was the utils file where one function was removed and another one added, File B was the main file which was calling the utils function. File B was loaded first and it said can't find both, how do I fix it?

In opal client, is it possible to download a specific commit of the repo? The instantaneous push from main branch is good but risky. We would like the customer teams to deploy specific commits instead.

What is the difference between client, datasource and listener peer type when generating access token

Hey folks, For the opal - cedar integration, i can see json on the /data and /policies end points. However, /schema is empty. Is this perhaps by design? are there plans to push schema changes, similar to what you do with policies and data to the cedar agent?

When will opal's opa client will be updated to version 1+?

Hey Folks, I appear to have stumbled upon a OPAL - Cedar bug. If a policy file contains more than one rule, the publishing of rules from OPAL to the cedar agent does not complete. Logs don't show any errors and it just fails silently. You can replicate the problem by doing the following: Launch the cedar integration compose file: https://github.com/permitio/opal/blob/master/docker/docker-compose-example-cedar.yml as per the tutorial: https://docs.opal.ac/tutorials/cedar/ Confirm data is present at: http://localhost:8180/v1/policies (cedar agent) Confirm data is present at: http://localhost:7002/policy (opal server) now... modify the example file to have more than one rule. i.e. https://github.com/permitio/opal-example-policy-repo/blob/master/policy.cedar Update the file to have another rule:

permit(
    principal in Role::"Editor",
    action in [
        Action::"document:read",
        Action::"document:write",
        Action::"document:delete"
	],
    resource in ResourceType::"document"
);

permit(
    principal in Role::"LimitedEditor",
    action in [
        Action::"document:read",
        Action::"document:write",
	],
    resource in ResourceType::"document"
);

Start up the stack. You'll notice the cedar agent returns empty: http://localhost:8180/v1/policies (cedar agent) Confirm data is present at: http://localhost:7002/policy (opal server)

Hey all, new here looking to explore permit… are there are documentation or comparison studies of setting up OPAL with OPA agent vs a cedar agent and how can I set up my local PDP to use cedar vs OPA. Trying to understand what scenarios and use cases demands which type of agent for scale and consistency wrt decisions.

several confusions about the Fetcher-for-Postgres. I found the opal-client could trigger date update using command like:

opal-client publish-data-update $token --src-url <http://mybillingserver.com/users> --src-config '{"headers":{"authorization":"bearer secret-token"}}'

it only needs a single field named

src-url

to determine which datasource should be updates. 1. however, when using posgres table as datasource, this url would like to be

"url": "<postgresql://postgres@example_db:5432/postgres>"

. Does that means I need to put each data source into different database, in a way like

1 table in 1 database

mode? It sounds wired. 2. I checked another option to trigger data update. i.e. using OPAL Server REST API. However, this method seems to be wrong when only putting

url

in request payload like

curl ... --header 'Content-Type: application/json' -d '{"entries":[{"url":"<postgresql://postgres@example_db:5432/postgres>"}]}'

. The opal server won't fill the blanks of other field but remain them as empty which cause opal-client failed to fetch data. 3. then i know maybe I should put the whole datasource config entry into the payload. it sounds wired too. Does that mean I should hard-code all the datasouce configuration into my client. Is there some

id

or other workflow, e..g I first go somewhere to get the full datasource configure then post the data update. Really confusing, thanks a lot!

after switching to opal v0.8.3, opal will pop error like

2025-08-04T15:45:25.978352+0000 | ddtrace.internal.writer.writer          |ERROR  | failed to send, dropping 1 traces to intake at <http://localhost:8126/v0.5/traces> after 3 retries

Hello, I'm currently using Permit.io for my cloud-based SaaS product. We're currently talking with a customer who would require an on-premise solution. I'm wondering how common it is to support both Permit hosted for our cloud product and then setting up an OPAL based solution for our on-premise product. Does anyone have a similar setup?

Hello, OPAL Team, My name is soohyun, and I am a student studying cybersecurity in South Korea. I have discovered two security vulnerabilities in the OPAL open-source project and have prepared a report. I could not find any specific instructions for reporting vulnerabilities in the security tab of the GitHub repository. Could you please let me know the proper channel or contact person for submitting my findings? Thank you for your time and for your great work on OPAL. Best regards, soohyun.