What is the difference between client, datasource and listener peer type when generating access token

Hey folks, For the opal - cedar integration, i can see json on the /data and /policies end points. However, /schema is empty. Is this perhaps by design? are there plans to push schema changes, similar to what you do with policies and data to the cedar agent?

When will opal's opa client will be updated to version 1+?

Hey Folks, I appear to have stumbled upon a OPAL - Cedar bug. If a policy file contains more than one rule, the publishing of rules from OPAL to the cedar agent does not complete. Logs don't show any errors and it just fails silently. You can replicate the problem by doing the following: Launch the cedar integration compose file: https://github.com/permitio/opal/blob/master/docker/docker-compose-example-cedar.yml as per the tutorial: https://docs.opal.ac/tutorials/cedar/ Confirm data is present at: http://localhost:8180/v1/policies (cedar agent) Confirm data is present at: http://localhost:7002/policy (opal server) now... modify the example file to have more than one rule. i.e. https://github.com/permitio/opal-example-policy-repo/blob/master/policy.cedar Update the file to have another rule:

permit(
    principal in Role::"Editor",
    action in [
        Action::"document:read",
        Action::"document:write",
        Action::"document:delete"
	],
    resource in ResourceType::"document"
);

permit(
    principal in Role::"LimitedEditor",
    action in [
        Action::"document:read",
        Action::"document:write",
	],
    resource in ResourceType::"document"
);

Start up the stack. You'll notice the cedar agent returns empty: http://localhost:8180/v1/policies (cedar agent) Confirm data is present at: http://localhost:7002/policy (opal server)

Hey all, new here looking to explore permit… are there are documentation or comparison studies of setting up OPAL with OPA agent vs a cedar agent and how can I set up my local PDP to use cedar vs OPA. Trying to understand what scenarios and use cases demands which type of agent for scale and consistency wrt decisions.

several confusions about the Fetcher-for-Postgres. I found the opal-client could trigger date update using command like:

opal-client publish-data-update $token --src-url <http://mybillingserver.com/users> --src-config '{"headers":{"authorization":"bearer secret-token"}}'

it only needs a single field named

src-url

to determine which datasource should be updates. 1. however, when using posgres table as datasource, this url would like to be

"url": "<postgresql://postgres@example_db:5432/postgres>"

. Does that means I need to put each data source into different database, in a way like

1 table in 1 database

mode? It sounds wired. 2. I checked another option to trigger data update. i.e. using OPAL Server REST API. However, this method seems to be wrong when only putting

url

in request payload like

curl ... --header 'Content-Type: application/json' -d '{"entries":[{"url":"<postgresql://postgres@example_db:5432/postgres>"}]}'

. The opal server won't fill the blanks of other field but remain them as empty which cause opal-client failed to fetch data. 3. then i know maybe I should put the whole datasource config entry into the payload. it sounds wired too. Does that mean I should hard-code all the datasouce configuration into my client. Is there some

id

or other workflow, e..g I first go somewhere to get the full datasource configure then post the data update. Really confusing, thanks a lot!

after switching to opal v0.8.3, opal will pop error like

2025-08-04T15:45:25.978352+0000 | ddtrace.internal.writer.writer          |ERROR  | failed to send, dropping 1 traces to intake at <http://localhost:8126/v0.5/traces> after 3 retries

Hello, I'm currently using Permit.io for my cloud-based SaaS product. We're currently talking with a customer who would require an on-premise solution. I'm wondering how common it is to support both Permit hosted for our cloud product and then setting up an OPAL based solution for our on-premise product. Does anyone have a similar setup?

Hello, OPAL Team, My name is soohyun, and I am a student studying cybersecurity in South Korea. I have discovered two security vulnerabilities in the OPAL open-source project and have prepared a report. I could not find any specific instructions for reporting vulnerabilities in the security tab of the GitHub repository. Could you please let me know the proper channel or contact person for submitting my findings? Thank you for your time and for your great work on OPAL. Best regards, soohyun.

I have been looking through the good OPAL docs and examples to get an overview of OPAL's features 👍 • Is it correct that for using OPAL scopes, the OPAL server needs to have access to a Redis and cannot use a Postgres instead? • I would like the OPAL client to get policies from multiple Git repositories and provide them to the internal OPA. Is it correct that this is not possible? ◦ I found that a scope can only be associated with a single Git repo, and an OPAL client can only request a single scope.

Hi team, is there a metrics endpoint for server and clients?

Hi there! We are integrating OPAL to our application. In our setup, opa and opal-client run in separate deployments (inline OPA is disabled). When opa restarts during a rolling update, it comes up empty, and opal-client doesn’t immediately backfill all data. I tried persistent storage, but I can’t share the PVC between two OPA pods during rollout. What’s the recommended way to ensure the new opa is pre-warmed with current policies and data before it starts serving traffic? Does opal-client support a “full sync on startup/reconnect” mode, or is there another best practice for zero-downtime rollouts in this topology?

#C01RUUYV3TP I am looking for passing OPAL_INLINE_OPA_cONFIG to get the OPA configured for decision logs to an http endpoint and I don’t see a reference how to use this. Could you please guide me ?

Hi. Does OPAL sync relationship tuples to the local PDP? If so, is it done by default or needs configuration?

Can opal read data from redis.

Is there an architectural recommendation to deploy Opal server in AWS EKS and Opal client as sidecar in another EKS cluster

Can in opal client read from a data source set with a timeout

Hello, I have deployed the helm chart but I can't find a way to use a serviceAccount to pull a private git policies repo nor using a volume with an existing repo. I don't want a harcoded token value in my yaml file and if possible i really want to avoid setting up a ssh key. Any workaround ?

Hi all. Sorry if this is really stupid question and I should "RTFM", but I'm under pressure and pulling my hair out between ChatGPT, online docs etc. The scenario is really simple. I need to make a policy decision based on updated user data in Entra ID, we're talking about 10s maybe 100s of thousands of users. I want to dynamically pull data using a fetcher and make sure that it is avaible in the data store before the OPA executes. ChatGPT led me to believe this was possible (see diagram), but online opal docs dont seem to support this. Am I completely on the wrong track? It is fundamental that the data recovered from Entra ID relates to the user represented by the JWT, no for all the users.

image.png

JWT validation using JWKs endpoint: There's a pattern published here using http.send and a cache (plus key rotation detection). However, in general, http.send "is not recommended for production", is this the exception that breaks the rule? Is there something "bad" about http.send that I should know about? Thanks!

As EOPA got opensourced is there any plan to support eopa from opal?

Opal server keeps restarting with sigterm error. Websockets get disconnected frequently. Any insights to debug?

Hi, I am testing ABAC policies locally to change some conditions in ABAC rules. My local PDP needs about 5 minutes to update the changed conditions... Is it possible to force an immediate update? Interestingly, when I change any state in the policy editor, it is updated immediately. PDP LOGS

2025-10-15T09:25:08.891982+0000 | opal_client.policy.updater              | INFO  | Received policy update: topic=d7c2f5d674f54f82a21b401cf5190d32:policy:., message={'old_policy_hash': '9ed9fb1d2c4defae9d020e36f3c8510aa2930464', 'new_policy_hash': '7a919fe931c2403e183b134187a28abd8a8878d4', 'changed_directories': ['.', 'permit', 'permit/generated', 'permit/generated/conditionset']}
2025-10-15T09:25:08.892246+0000 | opal_client.policy.updater              | INFO  | Refetching policy code (delta bundle), base hash: '9ed9fb1d2c4defae9d020e36f3c8510aa2930464'
2025-10-15T09:25:08.892655+0000 | opal_client.policy.fetcher              | INFO  | Fetching policy bundle from <https://opal-v2.permit.io/scopes/d7c2f5d674f54f82a21b401cf5190d32/policy>
2025-10-15T09:25:10.461838+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:37394 - "GET /healthy HTTP/1.1" 200
2025-10-15T09:25:11.840135+0000 | opal_client.policy.fetcher              | INFO  | Fetched valid bundle, id: 7a919fe931c2403e183b134187a28abd8a8878d4
2025-10-15T09:25:11.841801+0000 | opal_client.policy.updater              | INFO  | got policy bundle (delta): '9ed9fb1d2c4defae9d020e36f3c8510aa2930464' -> '7a919fe931c2403e183b134187a28abd8a8878d4', manifest: ['permit/generated/conditionset/Large_5fquantity.rego'], deleted: None
2025-10-15T09:25:11.847489+0000 | opal_client.engine.logger               | INFO  | Received request.    PUT /v1/policies/permit/generated/conditionset/Large_5fquantity.rego
2025-10-15T09:25:11.994635+0000 | opal_client.engine.logger               | INFO  | Sent response.       PUT /v1/policies/permit/generated/conditionset/Large_5fquantity.rego -> 200

Any thoughts? Screenshot from activity logs for the condition change (there is my local time so 9:20 utc)

Hello. I'm running a quick proof of concept with OPA + OPAL on a local workstation where I have OPAL configured to fetch data with the

HttpFetchProvider

from an API. Is there a working example of using the

HttpFetchProvider

for a

POST

request that includes a request body? I've tried a number of things, but every time I try to include a request body, it appears the

HttpFetcherProvider

doesn't even attempt to make a call out to the configured endpoint. For example, I have this set in

OPAL_DATA_CONFIG_SOURCES

in the

permitio/opal-server:latest

container I have running locally:

{
  "config": {
    "entries": [
      {
        "url": "<http://myapi:8080/v1/path>",
        "config": {
          "fetcher": "HttpFetchProvider",
          "method": "post",
          "data": {
            "blah": "blah"
          }
        },
        "topics": [
          "blah"
        ],
        "dst_path": "blah"
      }
    ]
  }
}

This results in a

aiohttp.client_exceptions.ClientResponseError: 400, message='Bad Request', url='<http://myapi:8080/v1/path>

in the

permitio/opal-client-standalone:latest

container I have running locally, and with a

ERROR  | Timeout while fetching url: <http://openfga:8080/stores/01K7MTJYKRN6V5TQ1WT8D83QDQ/list-user>

error. The logs from the app running at

<http://myapi:8080>

don't seem to indicate that the request made it to my app. However, if I remove

config.data

from the configuration, the logs from my app do indicate the request was received. My app responds with a

400

in this case because the request body is required, but it at least proves the request has been received. I will admit it is confusing that the OPAL client indicates a

400

was received from the API when

config.data

is included but, my app logs don't indicate the request was received.

Hi there!, i've been experiencing a ton of restarts on my PDP on k8 using the helm chart with the following error, i have confirmed the pod security policy isn't blocking egress.

2025-10-20T18:21:45.449442+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:46.391887+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:46.392485+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:45740 - "GET /healthy HTTP/1.1" 503
2025-10-20T18:21:47.785723+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:47.786254+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:45744 - "GET /healthy HTTP/1.1" 503
[2025-10-20T18:21:47Z INFO  pdp_server::api::health::handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable
2025-10-20T18:21:47.786688+0000 | opal_client.engine.logger               | INFO  | Received request.    GET /health
2025-10-20T18:21:47.787123+0000 | opal_client.engine.logger               | INFO  | Sent response.       GET /health -> 200
2025-10-20T18:21:51.391099+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:51.391510+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:45740 - "GET /healthy HTTP/1.1" 503
2025-10-20T18:21:52.716743+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal.permit.io/ws>
2025-10-20T18:21:52.736808+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:53.071268+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal.permit.io/ws>
2025-10-20T18:21:53.097005+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:54.619022+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal.permit.io/ws>
2025-10-20T18:21:54.640207+0000 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [Errno -5] Name has no usable address
2025-10-20T18:21:55.982693+0000 | opal_client.policy_store.opa_client     |WARNING | OPA client health: False (policy: False, data: False)
2025-10-20T18:21:55.983169+0000 | uvicorn.protocols.http.httptools_impl   | INFO  | 127.0.0.1:51108 - "GET /healthy HTTP/1.1" 503
[2025-10-20T18:21:55Z INFO  pdp_server::api::health::handlers] Health check failed: horizon: Horizon returned status 503 Service Unavailable

hi all, am i correct that the policy store that's supported out of box is git repository only? i was thinking to use Zanzibar inspired DB as the policy store or data store: https://github.com/permitio/opal/discussions/633#discussioncomment-10241951

Hey 🙂 we are trying to install opal in one of our k8 clusters with the helm charts, but the opal-client doesnt seems to be able to start

Hey @everyone! OPAL v0.9.0 is now live!

hi all, can we configure OPAL to run Cedar agent instead of OPA in Helm Chart values?