hello chat, is there any information around the memory consumption of OPAL based on the amount of data being stored in OPA (non standalone mode)? Cause i have one container which is averaging around 150Mb of memory with around 500Kb of data in OPA where as a different container is averaging around 800Mb of memory with around 50Mb of data in OPA this ratio seems like a lot, is this expected and is there any way i can reduce it?

Hello everyone, I noticed that the latest tag has reverted the OpenTelemetry integration, and I've read the explanation for it. Could you please tell me if there will be a patch release for the 0.7.x version where the OpenTelemetry integration is included? Thanks!

Hey OPAL Community, We want to share an important update regarding OpenTelemetry support in OPAL. Since the release of v0.7.16, which introduced OpenTelemetry integration, we’ve encountered several challenges, including issues with collecting traces, deployment difficulties (especially in Alpine Linux environments), and gaps in documentation that have made integration harder for users. These challenges have slowed down our overall development and introduced instability in certain environments. To ensure OPAL remains stable and easy to use, we’ve decided to remove OpenTelemetry integration starting from v0.8.x and return it to active development. This will allow us to refine the implementation, improve documentation, and make integration smoother before reintroducing it in a future release. For those currently using OpenTelemetry in OPAL, v0.7.x will remain available and continue receiving patches while we work on improvements. What’s Next? • We will continue refining OpenTelemetry support to ensure a better experience before its reintroduction. • We welcome feedback and contributions from the community on improving the integration. • If you’ve successfully used OpenTelemetry in OPAL, we’d love to hear your insights! We understand that changes like this can be disruptive, but this decision is aimed at ensuring a more stable and maintainable OPAL for everyone. We appreciate your patience and support as we work through this, and we’re excited to bring back OpenTelemetry in a stronger and more reliable way soon! Thank you for being part of OPAL! 🚀💎

hi, I have a question about realtime policy data updates. I am confused how the policy data is kept between there different components, i.e. broadcast channel, opal server and opa client. I noticed that there is a data.json in policy git repo and the opal server serves a url like http://opal-server:7002/policy-data. My question is that, 1. when doing opal-client publish-data-update, how these policy data changes are stored? is it kept in the policy git repo, or in the opal server memory( which is never persistent at all ). 2. opal said that

The data sources specified in the server configuration must always return a complete and up-to-date picture.

however, if the realtime policy data updates are in opal server’s memory, then there could be data inconsistence between opal client when client restarts. how to understand that.

Hi, im using node JS and trying use permitio library. i have a tenant called babcom-mol and this tenant includes two users. when im trying to run the check command const permitted = await this.permitClient.check(userId, action, resource, { tenant: tenantId, ...attributes }); im always get false, and when im checking the audit logs i can see that the request is goes for the default tenant { "allow": false, "query": { "user": { "key": "kobim", "first_name": null, "last_name": null, "email": null, "attributes": {} }, "action": "read", "resource": { "type": "Knowledge_Base", "key": null, "tenant": "default", "attributes": {}, "context": {} }, "context": { "tenant": "babcom-mol", "pdp_type": "cloud" } }, "debug": { "abac": { "allow": false, "reason": "user 'kobim' did not match any userset conditions. known usersets: []", "support_link": "https://docs.permit.io/errors/no_matching_usersets", "code": "no_matching_usersets" }, "request": { "resource": { "type": "Knowledge_Base", "attributes": { "type": "Knowledge_Base" } }, "user": { "last_name": null, "key": "kobim", "synced": true, "attributes": { "roles": [], "key": "kobim", "tenants": [ "babcom-mol" ], "email": "kobim@onvego.com" }, "first_name": null, "email": null }, "tenant": null, "action": "read" }, "rbac": { "allow": false, "reason": "tenant 'default' does not exist. existing tenants: ['babcom-mol', 'babcom']", "support_link": "https://docs.permit.io/errors/no_such_tenant", "code": "no_such_tenant" } }, "result": false } how can i solve it?

How can I add and manage users using the permitio package?

how can i sync a user to a specific tenant, and what if the user doesn't exists does the sync create him?

How can i integrate auth0 with permit io

How can i get the whole users with a specific email?

i want to get the users with email from all tenants

i have this email: kobim@onvego.com i want to get all the tenants that has this user and also the roles inside each tenant

I want to create an namespace convention in the tenant name, but im not allowed to add dots as separator. what characters are valid as separators which are not '_' or '-'

I have the following set on the opal client

OPAL_INLINE_OPA_ENABLED=true
OPAL_INLINE_OPA_EXEC_PATH=/opal/opa
OPAL_INLINE_OPA_LOG_FORMAT=http
OPAL_INLINE_OPA_CONFIG={"config_file":"/tmp/opa.conf"}

/tmp/opa.conf contains:

decision_logs:
    console: true

And I have a decision log policy that contains:

package system.log

import rego.v1

drop if {
        input.result.allow == true
}

When I previously ran opa myself using the same opa config and decision policy (before opal), I would get a decision log entry for every deny. Since switching to opal running inline opa, I'm not seeing any decision log info in the opal-client container logs, but I know that there have been denies by opa. The log level for opa logs is using the default INFO level as defined in https://github.com/permitio/opal/blob/6dbba8f26997343caf4b9aeb234e775c29982408/packages/opal-client/opal_client/engine/options.py#L29-L30. Am I missing some other setting that would show the decision logging from opa?

Does Opal client image have opa 1.0 or it still with opa 0.7?

hello everybody! what is the password of the root user in the opal-client container? i'm logged in as

opal

user

hello team, OPAL would queue the data updates until the initial data is fetched and apply them in order once data is successfully fetched, correct? this is my understanding question in the thread about how logs are printed in this case

Getting a 503 on GET /policy?path=. in Opal Heml charts deployed

Hi, how can I configure an ingress for my opal server? I need to deploy 2 clients in different sites that both use the same server

This message was deleted.

This message was deleted.

Good morning (maybe). I need to pick the brain of someone about some vulnerabilities that were detected for OPAL Server version 0.7.16 by Twistlock. I have gone through the vulnerabilities and believe I have found the reasons for why the vulnerable package versions are used. I just need someone from Permit to sanity check my reasoning (and correct anything that isn't above board).

Hello permit, I'd like to modify how PDP (and OPAL) logs messages. Specifically, I need the messages to be in JSON format for GCP Logging to process them correctly. I have set

OPAL_LOG_SERIALIZE

to

true

which turned on the JSON format but it's not in the format I need it to be. GCP requires for

severity

to be a top level field, named like that, whereas OPAL includes it as

record.level.name

. Please, is there any way how to change the format of the log messages? I have found

LOG_FORMAT

property, but no description on how to configure it: https://docs.opal.ac/getting-started/configuration Thank you in advance! 🙂

Question about OPAL server scaling. Uvicorn workers vs separate instances? What are the pros and cons of each?

Hello, I am trying to use envoy filter with opal client. I want use the Inline OPA. This is what I did. Modified the Opla-client image to use OPA-envoy image. Now for the inline OPA config, I am using the below config file. apiVersion: v1 Kind: configmap data: config.yaml : | plugins: envoy_ext_authz_grpc: addr : 9191 path: istio/authz/allow In client delpoyment, volume mounted the configmap and used OPAL_INLINE_OPA_CONFIG: {config_file:"/opal/config/config.yaml"} The GRPC is not getting registered. Is this something any one has tried and is achievable or using standalone opal-clinet and opa as a separate service the only option? I want to run opal-client as side car. want to avoid adding another OPA sidecar.

Does OPAL provide a connector to fetch data from Hazelcast or any other similar cache.

Hello

Hi, is it possible to use git-remote-gcrypt or similar tools along with opal server to fetch policies from an encrypted git repo? I have tried with git remote gcrypt but it was not working. For context, git-remote-gcrypt is a remote helper for git which encrypts the repo before sending out a commit. For fetching it, a prefix "gcrypt::" needs to be added to the git url. When passing that url with the prefix to opal server, it is giving the error "cannot clone policy repo: The

gcrypt::

protocol looks suspicious, use

allow_unsafe_protocols=True

to allow it." which seems to come from the repo.clone_from() function in the git python package used in the project (link to the line). Are there any plans to add compatibility to such tools in opal? Thanks!

Hi, is there any other alternative way to get policy into OPA other than through git repo and the bundle api? OPA has support for OCI images pulled from supported registries (link to docs) . Policies can be built into OCI compatible images using this tool. For now I am using OPAL_INLINE_OPA_CONFIG to set the config of the inline OPA instance to fetch from an OCI repository. Doing this, I am bypassing the OPAL server and client. So I was curious if there are any other ways.

I'm getting tarsafeexception when using opa build to build the tar gzip

opal_common.security.tarsafe.TarSafeException: Attempted directory traversal for member: /data.json

Hey folks, is there any plan to support OCI registries as a policy source similar to what have been done on OPA side?