https://linen.dev logo
Join Slack
Powered by
# opal
  • s

    Savin Cristi

    06/11/2025, 9:03 PM
    Hello. I am trying to add an external data source, in which I store the attributes for the policies defined at the moment in permit.io ui. I run the permit pdp in a local docker container. The pdp will connect to the permit cloud for the configurations. The cloud becomes them the authority. I have another app in the same network that reads from the external data source. adding OPAL_CLIENT_DATA_SOURCES_CONFIG_SOURCES_0_URL and other attributes in the docker.yml is not effective, the variables will be ignored and pdp will only red from the cloud. Is it possible a configuration for my local pdp to read from my endpoint, and still be connected to cloud?
    a
    p
    o
    • 4
    • 11
  • s

    Savin Cristi

    06/11/2025, 10:50 PM
    Is there a way, or path with the OPAL API, to tell Permit.io's cloud that the pdp should poll new configurations from an external data source? And this can work along fetching it on boot or polling interval.
    a
    p
    • 3
    • 4
  • s

    Savin Cristi

    06/12/2025, 8:57 PM
    Hello again ๐Ÿ™‚. If I may, I have another question. My opal scope configuration is the following:
    Copy code
    "config": {
              "method": "get",
              "headers": {
                "Accept": "application/json"
              },
              "fetch_on_boot": true,
              "polling_interval_sec": 60
            },
            "topics": [
    Still, the polling interval is not working, it will only fetch on boot. Am I missing something?
    p
    a
    • 3
    • 5
  • s

    Savin Cristi

    06/17/2025, 8:00 AM
    Hello. I have the following case. I want to be able to sync my users with permit.io cloud, so they are known for the permit.check, but I want to do it without any attributes. Attributes are stored in an external data source and fed to the local pdp OPA instance. If I define an ABAC policy in permit.io UI which checks for the attributes I have, it will fail. This is because I presume policies defined in permit.io cloud are not checking my attributes path, after the pdp syncs with the cloud. Is there a way around that, or if I am to follow this path I have to build a custom policy that will take into consideration my attributes and push it to permit.io cloud?
    a
    o
    • 3
    • 5
  • k

    KSM

    06/17/2025, 5:36 PM
    Running latest opal version (0.8.0) and started getting intermittent "`Failed to notify subscriber` errors (with stack trace) when the opal-server was trying to update the opal-client (which was to trigger the opal-client to pull data from external source). A restart of the opal-server seems to have fixed the issue for the time being. Also didn't this error while running previous version (0.7.16). Nothing about our architecture has changed except the opal version. Any ideas on what condition(s) could cause this?
    a
    o
    p
    • 4
    • 27
  • h

    Harshit Parikh

    06/18/2025, 9:41 AM
    Whenever I sync my repo via S3, my dynamic data goes missing. None of the data paths overlap, does it overwrite What could be happening
    a
    r
    p
    • 4
    • 19
  • d

    Dai Zhang

    06/23/2025, 5:22 PM
    hi, i wonder which version fixed this issue https://github.com/permitio/opal/issues/360 i am using opal 0.7.6/0.7.16 and bitbucket 8.19.11, and still face
    400
    and
    {"detail": "repo url or full name not found in payload!"}
    error. how could i do that, thanks a lot!
    a
    o
    +2
    • 5
    • 23
  • d

    Dai Zhang

    06/24/2025, 3:34 AM
    opal-client 0.7.16 raise error like
    ModuleNotFoundError: No module named 'opal_common.monitoring.tracing_utils'
    , what should i do to fix
    a
    p
    o
    • 4
    • 6
  • d

    Dai Zhang

    06/24/2025, 3:37 AM
    i wonder to know the aim and cases for enabling this feature https://github.com/permitio/opal/pull/657 does it mean we should let opa to take over the tls instead of using a nginx / ingress. great thanks!
    a
    p
    +2
    • 5
    • 15
  • o

    Or Weis

    06/25/2025, 12:55 PM
    set the channel topic: Questions about the OSS project OPAL.ac
  • k

    Krishna Prasad A

    06/26/2025, 10:53 AM
    Hi team, I'm new to OPAL and trying to get a simple setup running using Docker Compose to load some external data into OPA. My goal is just to fetch a static JSON file from a public URL (like jsonbin.io) and load it into my OPA agent's data tree, so my policies can use it. I'm using the standard Docker Compose setup for OPAL. I tried configuring the
    OPAL_DATA_CONFIG_SOURCES
    environment variable like this in my `docker-compose.yml`:
    Copy code
    OPAL_DATA_CONFIG_SOURCES={"external_source_url":"<https://api.jsonbin.io/v3/b/685ce5fd8960c979a5b1a42b?meta=false>"}
    But when I check the logs, I see a warning:
    "Serving default all-data route, meaning DATA_CONFIG_SOURCES was not configured!"
    , and the data doesn't seem to be loaded at the path I expect (e.g.,
    v1/data/rbac
    is empty when I curl it). I'm a bit confused about the different ways to configure data sources. For just fetching a simple, static JSON file from a URL like this, am I using the right approach with
    external_source_url
    ? Or is there a simpler or different configuration format I should be using for this basic case? Any pointers or examples for loading a simple JSON file from a URL into OPA via OPAL would be super helpful for a beginner! Thanks a lot!
    a
    o
    • 3
    • 5
  • k

    Kirk Daries

    07/07/2025, 3:11 PM
    Hey Folks, I'm currently exploring a small POC with OPAL and Cedar Am i correct in saying.. that right now... OPAL does not push policy updates to the cedar agent? I have this currently working with OPAL and the OPA Agent.. and expected the same behavior to work with the cedar integration. I'm hoping that its simply a problem with my local setup but would like confirmation if possible?
    a
    o
    • 3
    • 6
  • s

    Shoham Yamin

    07/09/2025, 7:54 AM
    How can I make opa save the data that I get from an api as a persistent storage in an empty for volume as my data is 10gb of json
    a
    d
    • 3
    • 4
  • k

    Kirk Daries

    07/09/2025, 1:55 PM
    Hey Folks, I should have posted here but i went ahead and logged this in the mean time. https://github.com/permitio/opal/issues/804 I assumed this was working and based my work on it.. but the listed compose file is not working for me. Can anyone link me to a simple OPAL + Cedar compose / integration i can check out and review locally?
    a
    o
    +2
    • 5
    • 31
  • d

    David Hamilton

    07/11/2025, 6:07 PM
    Hello, does opal support reactive web servers for retrieving data? I have an API that returns a list of "widgets" but it's a big dataset and it takes some time. Rather than get timeouts, I'm curious if opal can support a reactive endpoint that would begin providing widgets immediately rather than the whole collection at once
    a
    p
    o
    • 4
    • 11
  • v

    Vaibhav Yadav

    07/11/2025, 8:03 PM
    Is there any solution or workaround for the following scenario? When an opal client restarts, it creates a fresh connection with the OPAL server, but the OPAL server somehow still has the connection with the older client as well, hence creating a ghost client.
    a
    p
    +2
    • 5
    • 8
  • t

    Thilak Reddy

    07/17/2025, 10:23 AM
    hi team, is there any correlation between the number of connections a OPAL server can handle vs the resources allocated for the server? I am seeing connection disconnects between the server and some clients recently very randomly during new deployments of clients Edit: we donโ€™t use a backbone as we only have around 10 clients, and hence have a single service instance The number of clients didnโ€™t increase, but i am seeing this issue only recently after the server has been re deployed after a long time onto a new node on k8s We have set
    uvicornWorkers: 1
    as we donโ€™t have a backbone setup
    a
    o
    • 3
    • 9
  • m

    Mathieu Viau

    07/21/2025, 3:22 PM
    Good morning, anyone got any luck with setting up OPAL server with git ssh with a key that has a passphrase?
    a
    s
    • 3
    • 8
  • w

    William Afonso

    07/22/2025, 6:53 AM
    @William Afonso has left the channel
  • h

    Harshit Parikh

    07/25/2025, 3:45 PM
    My OPA update failed, the diff had two files. File A was the utils file where one function was removed and another one added, File B was the main file which was calling the utils function. File B was loaded first and it said can't find both, how do I fix it?
    a
    o
    • 3
    • 5
  • p

    Prasenjit Roy

    07/27/2025, 6:23 PM
    In opal client, is it possible to download a specific commit of the repo? The instantaneous push from main branch is good but risky. We would like the customer teams to deploy specific commits instead.
    a
    p
    o
    • 4
    • 10
  • p

    Prasenjit Roy

    07/29/2025, 2:07 PM
    What is the difference between client, datasource and listener peer type when generating access token
    a
    o
    s
    • 4
    • 11
  • k

    Kirk Daries

    07/31/2025, 12:46 PM
    Hey folks, For the opal - cedar integration, i can see json on the /data and /policies end points. However, /schema is empty. Is this perhaps by design? are there plans to push schema changes, similar to what you do with policies and data to the cedar agent?
    a
    r
    o
    • 4
    • 9
  • a

    Alonahmias

    07/31/2025, 3:56 PM
    When will opal's opa client will be updated to version 1+?
    o
    • 2
    • 1
  • k

    Kirk Daries

    07/31/2025, 5:55 PM
    Hey Folks, I appear to have stumbled upon a OPAL - Cedar bug. If a policy file contains more than one rule, the publishing of rules from OPAL to the cedar agent does not complete. Logs don't show any errors and it just fails silently. You can replicate the problem by doing the following: Launch the cedar integration compose file: https://github.com/permitio/opal/blob/master/docker/docker-compose-example-cedar.yml as per the tutorial: https://docs.opal.ac/tutorials/cedar/ Confirm data is present at: http://localhost:8180/v1/policies (cedar agent) Confirm data is present at: http://localhost:7002/policy (opal server) now... modify the example file to have more than one rule. i.e. https://github.com/permitio/opal-example-policy-repo/blob/master/policy.cedar Update the file to have another rule:
    Copy code
    permit(
        principal in Role::"Editor",
        action in [
            Action::"document:read",
            Action::"document:write",
            Action::"document:delete"
    	],
        resource in ResourceType::"document"
    );
    
    permit(
        principal in Role::"LimitedEditor",
        action in [
            Action::"document:read",
            Action::"document:write",
    	],
        resource in ResourceType::"document"
    );
    Start up the stack. You'll notice the cedar agent returns empty: http://localhost:8180/v1/policies (cedar agent) Confirm data is present at: http://localhost:7002/policy (opal server)
    a
    o
    • 3
    • 7
  • s

    Sourabh Krishna

    08/01/2025, 1:03 AM
    Hey all, new here looking to explore permitโ€ฆ are there are documentation or comparison studies of setting up OPAL with OPA agent vs a cedar agent and how can I set up my local PDP to use cedar vs OPA. Trying to understand what scenarios and use cases demands which type of agent for scale and consistency wrt decisions.
    a
    p
    • 3
    • 4
  • d

    Dai Zhang

    08/03/2025, 7:03 AM
    several confusions about the Fetcher-for-Postgres. I found the opal-client could trigger date update using command like:
    Copy code
    opal-client publish-data-update $token --src-url <http://mybillingserver.com/users> --src-config '{"headers":{"authorization":"bearer secret-token"}}'
    it only needs a single field named
    src-url
    to determine which datasource should be updates. 1. however, when using posgres table as datasource, this url would like to be
    "url": "<postgresql://postgres@example_db:5432/postgres>"
    . Does that means I need to put each data source into different database, in a way like
    1 table in 1 database
    mode? It sounds wired. 2. I checked another option to trigger data update. i.e. using OPAL Server REST API. However, this method seems to be wrong when only putting
    url
    in request payload like
    curl ... --header 'Content-Type: application/json' -d '{"entries":[{"url":"<postgresql://postgres@example_db:5432/postgres>"}]}'
    . The opal server won't fill the blanks of other field but remain them as empty which cause opal-client failed to fetch data. 3. then i know maybe I should put the whole datasource config entry into the payload. it sounds wired too. Does that mean I should hard-code all the datasouce configuration into my client. Is there some
    id
    or other workflow, e..g I first go somewhere to get the full datasource configure then post the data update. Really confusing, thanks a lot!
    a
    o
    • 3
    • 10
  • d

    Dai Zhang

    08/04/2025, 3:56 PM
    after switching to opal v0.8.3, opal will pop error like
    2025-08-04T15:45:25.978352+0000 | ddtrace.internal.writer.writer          |ERROR  | failed to send, dropping 1 traces to intake at <http://localhost:8126/v0.5/traces> after 3 retries
    ๐Ÿ‘€ 1
    a
    o
    p
    • 4
    • 11
  • j

    Jack Muller

    08/18/2025, 8:22 PM
    Hello, I'm currently using Permit.io for my cloud-based SaaS product. We're currently talking with a customer who would require an on-premise solution. I'm wondering how common it is to support both Permit hosted for our cloud product and then setting up an OPAL based solution for our on-premise product. Does anyone have a similar setup?
    a
    o
    +4
    • 7
    • 36
  • u

    ๊น€์ˆ˜ํ˜„

    09/07/2025, 6:09 AM
    Hello, OPAL Team, My name is soohyun, and I am a student studying cybersecurity in South Korea. I have discovered two security vulnerabilities in the OPAL open-source project and have prepared a report. I could not find any specific instructions for reporting vulnerabilities in the security tab of the GitHub repository. Could you please let me know the proper channel or contact person for submitting my findings? Thank you for your time and for your great work on OPAL. Best regards, soohyun.
    a
    o
    p
    • 4
    • 14