This message was deleted.

This message was deleted.

Good morning (maybe). I need to pick the brain of someone about some vulnerabilities that were detected for OPAL Server version 0.7.16 by Twistlock. I have gone through the vulnerabilities and believe I have found the reasons for why the vulnerable package versions are used. I just need someone from Permit to sanity check my reasoning (and correct anything that isn't above board).

Hello permit, I'd like to modify how PDP (and OPAL) logs messages. Specifically, I need the messages to be in JSON format for GCP Logging to process them correctly. I have set

OPAL_LOG_SERIALIZE

to

true

which turned on the JSON format but it's not in the format I need it to be. GCP requires for

severity

to be a top level field, named like that, whereas OPAL includes it as

record.level.name

. Please, is there any way how to change the format of the log messages? I have found

LOG_FORMAT

property, but no description on how to configure it: https://docs.opal.ac/getting-started/configuration Thank you in advance! 🙂

Question about OPAL server scaling. Uvicorn workers vs separate instances? What are the pros and cons of each?

Hello, I am trying to use envoy filter with opal client. I want use the Inline OPA. This is what I did. Modified the Opla-client image to use OPA-envoy image. Now for the inline OPA config, I am using the below config file. apiVersion: v1 Kind: configmap data: config.yaml : | plugins: envoy_ext_authz_grpc: addr : 9191 path: istio/authz/allow In client delpoyment, volume mounted the configmap and used OPAL_INLINE_OPA_CONFIG: {config_file:"/opal/config/config.yaml"} The GRPC is not getting registered. Is this something any one has tried and is achievable or using standalone opal-clinet and opa as a separate service the only option? I want to run opal-client as side car. want to avoid adding another OPA sidecar.

Does OPAL provide a connector to fetch data from Hazelcast or any other similar cache.

Hello

Hi, is it possible to use git-remote-gcrypt or similar tools along with opal server to fetch policies from an encrypted git repo? I have tried with git remote gcrypt but it was not working. For context, git-remote-gcrypt is a remote helper for git which encrypts the repo before sending out a commit. For fetching it, a prefix "gcrypt::" needs to be added to the git url. When passing that url with the prefix to opal server, it is giving the error "cannot clone policy repo: The

gcrypt::

protocol looks suspicious, use

allow_unsafe_protocols=True

to allow it." which seems to come from the repo.clone_from() function in the git python package used in the project (link to the line). Are there any plans to add compatibility to such tools in opal? Thanks!

Hi, is there any other alternative way to get policy into OPA other than through git repo and the bundle api? OPA has support for OCI images pulled from supported registries (link to docs) . Policies can be built into OCI compatible images using this tool. For now I am using OPAL_INLINE_OPA_CONFIG to set the config of the inline OPA instance to fetch from an OCI repository. Doing this, I am bypassing the OPAL server and client. So I was curious if there are any other ways.

I'm getting tarsafeexception when using opa build to build the tar gzip

opal_common.security.tarsafe.TarSafeException: Attempted directory traversal for member: /data.json

Hey folks, is there any plan to support OCI registries as a policy source similar to what have been done on OPA side?

How is the data in the OPA cache kept fresh? We have a database with the policy parameters for evaluating a policy. We want to have multiple OPAL clients for a multi tenant setup. Data is pulled with the postgres fetch provider from a postgres database. If the policy parameters are modified, that data should be reflected in the OPA cache. How can this be done? There is the option of periodic polling but there would be a delay in updating the cache and the queries are ran frequently even in case of no updates. Updates can be triggered on OPAL server or client but then additional logic should be there to determine which OPAL clients should be triggered for an update. There is the PATCH save method but it is critical to ensure parity with data in the database. How is this supposed to be handled in OPAL? Is there any methods/tools used for this? How is it handled by you guys? Sorry for the long query 😅 Thanks in advance!

Hey opal 👋 I have a question relating to the OPA healthcheck policy (namely the

/ready

endpoint) - we are currently using this endpoint in our system. We load in data from 6 different sources - some of which return heavy responses and can take a while to complete. We dont want our containers to register as ‘ready’ until all 6 sources have been successfully fetched and stored in OPA. Our issue seems to come with the or statement captured in the screenshot from the docs (attached). It seems that the current

/ready

behaviour means regardless of the initial data sources load, as long as there is a successful data-update the system will register as ‘ready’. The docs indicate this behaviour is going to change in upcoming versions… Do you have any plans in place for this / when might we expect this update to happen? Thanks! permit

Hi opal, I can see that the documentation mentions the Broadcaster component is in alpha. Could you please confirm if that’s still the case? We’re planning to use it in our production applications. https://github.com/encode/broadcaster

hey guys, we are using opal, and we have a use case in which we have alot of data that needs to be imported to opal, and it maybe too heavy for us, is there an option to manage deltas? or if not, the idea i though about is if there is an option to make an http request from my rego code, and save it to the bundled data, with an expire date.

Any updates onto when opal will have opa v1?

Hey, I looked into the helm charts for opal, looks like there are options for the server and client to have replicas but the same is not there for the pgsql broadcast channel. as the broadcast channel is critical for updates, I was able to setup replicas with rr balancing in the docker compose file. I was wondering if there is any way to have replicas for it in the helm charts

Hello Everyone. A question which might be obvious, yet I don t see it 🙂. How can I check from permit.io UI the updates I send to OPA server?

Hello. I am trying to add an external data source, in which I store the attributes for the policies defined at the moment in permit.io ui. I run the permit pdp in a local docker container. The pdp will connect to the permit cloud for the configurations. The cloud becomes them the authority. I have another app in the same network that reads from the external data source. adding OPAL_CLIENT_DATA_SOURCES_CONFIG_SOURCES_0_URL and other attributes in the docker.yml is not effective, the variables will be ignored and pdp will only red from the cloud. Is it possible a configuration for my local pdp to read from my endpoint, and still be connected to cloud?

Is there a way, or path with the OPAL API, to tell Permit.io's cloud that the pdp should poll new configurations from an external data source? And this can work along fetching it on boot or polling interval.

Hello again 🙂. If I may, I have another question. My opal scope configuration is the following:

"config": {
          "method": "get",
          "headers": {
            "Accept": "application/json"
          },
          "fetch_on_boot": true,
          "polling_interval_sec": 60
        },
        "topics": [

Still, the polling interval is not working, it will only fetch on boot. Am I missing something?

Hello. I have the following case. I want to be able to sync my users with permit.io cloud, so they are known for the permit.check, but I want to do it without any attributes. Attributes are stored in an external data source and fed to the local pdp OPA instance. If I define an ABAC policy in permit.io UI which checks for the attributes I have, it will fail. This is because I presume policies defined in permit.io cloud are not checking my attributes path, after the pdp syncs with the cloud. Is there a way around that, or if I am to follow this path I have to build a custom policy that will take into consideration my attributes and push it to permit.io cloud?

Running latest opal version (0.8.0) and started getting intermittent "`Failed to notify subscriber` errors (with stack trace) when the opal-server was trying to update the opal-client (which was to trigger the opal-client to pull data from external source). A restart of the opal-server seems to have fixed the issue for the time being. Also didn't this error while running previous version (0.7.16). Nothing about our architecture has changed except the opal version. Any ideas on what condition(s) could cause this?

Whenever I sync my repo via S3, my dynamic data goes missing. None of the data paths overlap, does it overwrite What could be happening

hi, i wonder which version fixed this issue https://github.com/permitio/opal/issues/360 i am using opal 0.7.6/0.7.16 and bitbucket 8.19.11, and still face

400

and

{"detail": "repo url or full name not found in payload!"}

error. how could i do that, thanks a lot!

opal-client 0.7.16 raise error like

ModuleNotFoundError: No module named 'opal_common.monitoring.tracing_utils'

, what should i do to fix

i wonder to know the aim and cases for enabling this feature https://github.com/permitio/opal/pull/657 does it mean we should let opa to take over the tls instead of using a nginx / ingress. great thanks!

set the channel topic: Questions about the OSS project OPAL.ac

Hi team, I'm new to OPAL and trying to get a simple setup running using Docker Compose to load some external data into OPA. My goal is just to fetch a static JSON file from a public URL (like jsonbin.io) and load it into my OPA agent's data tree, so my policies can use it. I'm using the standard Docker Compose setup for OPAL. I tried configuring the

OPAL_DATA_CONFIG_SOURCES

environment variable like this in my `docker-compose.yml`:

OPAL_DATA_CONFIG_SOURCES={"external_source_url":"<https://api.jsonbin.io/v3/b/685ce5fd8960c979a5b1a42b?meta=false>"}

But when I check the logs, I see a warning:

"Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!"

, and the data doesn't seem to be loaded at the path I expect (e.g.,

v1/data/rbac

is empty when I curl it). I'm a bit confused about the different ways to configure data sources. For just fetching a simple, static JSON file from a URL like this, am I using the right approach with

external_source_url

? Or is there a simpler or different configuration format I should be using for this basic case? Any pointers or examples for loading a simple JSON file from a URL into OPA via OPAL would be super helpful for a beginner! Thanks a lot!