https://linen.dev logo
Title
r

raghanag

05/25/2023, 12:59 AM
Hi All, I have a opal setup tracking the git repo but when i call the opa endpoint, i am getting the same data since the endpoint http://localhost:8181/v1/data/schema returning
{}
but it is working as expected, here is the playground link https://play.openpolicyagent.org/p/4FSJjGOLpY, we suspect the schema is not being properly built into the policy bundle. How to make sure the schema is being included in the policy bundle. or do i need to extract the schema and put it as part of the input query.
o

Or Weis

05/25/2023, 2:05 AM
Yoy can look at the logs and of course the final result in OPA to see what bundle was created
r

raghanag

05/25/2023, 4:05 AM
even if i keep the schema in the input query it works in playground but not if i query http://127.0.0.1:8181/v1/data/graphqlapi/authz playground: https://play.openpolicyagent.org/p/M7yZNWcWzx
o

Or Weis

05/25/2023, 6:39 AM
In your playground example your code reads
input.schema
- that means you are loading the schema from the input query itself, and not from the data loaded into OPA by OPAL
r

raghanag

05/25/2023, 6:46 AM
i have 2 playgrounds one that schema loads from input and one from data.json input query: https://play.openpolicyagent.org/p/M7yZNWcWzx data.json: https://play.openpolicyagent.org/p/4FSJjGOLpY
both of them are working as expected in playground but when i keep the same in git repo and use opal to push it to opa and query the http://127.0.0.1:8181/v1/data/graphqlapi/authz i always get
allow
as
false
o

Or Weis

05/25/2023, 6:48 AM
Okay when you look at your OPA after you loaded the data does its /data look like the example ? i.e. has a non -empty schema field?
r

raghanag

05/25/2023, 6:50 AM
yes when i query http://localhost:8181/v1/data it gives me back the below response
response.json
o

Or Weis

05/25/2023, 6:57 AM
Well so it seems the data was loaded as expected by OPAL, so either your policy is wrong, or the query
r

raghanag

05/25/2023, 7:01 AM
hmm it seems working in playground right?
o

Or Weis

05/25/2023, 7:02 AM
Yes, but maybe for example you used the wrong playground policy , you have two
r

raghanag

05/25/2023, 7:06 AM
its the same policy except where we read the schema from, i used the data.schema and tried to query the http://localhost:8181/v1/data/schema and also tried testing OPA
curl --location --request POST '<http://127.0.0.1:8181/v1/data/graphqlapi/authz>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "query": "query { environmentTags }",
    "user": "lonewolf",
    "variables": {}
    }
}'
the issue is if its working in playground why not the same policy in opal+opa
o

Or Weis

05/25/2023, 8:07 AM
I’m guessing it’;s unrelated to OPAL, and is just the input itself or query. How about trying to run this with OPA without OPAL, and see if it works or not
r

raghanag

05/25/2023, 6:53 PM
I just put the rbac.rego and data.json (which contains the schema) in under the directory like below and used
opa build -b bundle
├── bundle │ ├── data.json │ └── graphqlapi │ └── authz │ └── rbac.rego (edited) and followed the docker-compose at https://www.openpolicyagent.org/docs/latest/graphql-api-authorization/ its working as expected. i.e., when i query with
lonewolf
i get
allow
as
true
and with other users i get
allow
as
false
but when i use opal (just pushed my directory to git and let the opal-server tracks and clones it) i get the
allow
as
false
for
lonewolf
user
curl --location --request POST '<http://127.0.0.1:8181/v1/data/graphqlapi/authz>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "query": "query { environmentTags }",
    "user": "lonewolf",
    "variables": {}
    }
}'
@Or Weis sorry to bother you, pls let me know if you are able to jump on quick zoom call
o

Or Weis

05/25/2023, 7:14 PM
Hi @raghanag - I’m sorry but I’m not available for a call today. This doesn’t seem to be an OPAL issue. As you yourself say that the data and policy load as you expect into OPA. I suggest comparing the state that you have in the manual deployment you just did and the one you are doing with OPAL - I’d suspect that you’d discover that you either used different data, a different query, or a different policy
r

raghanag

05/25/2023, 7:38 PM
@Or Weis I used the same data.json, rbac.rego and only have 2 files. and here is the directory structure, as i said earlier i used
opa
cli
build
command to make a bundle and used it in the
docker-compose.yaml
, and for
opal
pushed my files to
git
and configured the
opal-server
And for stand-alone opa, I can see the data when i query http://localhost:8181/v1/data/schema but with opal i get empty response
{}
o

Or Weis

05/25/2023, 7:41 PM
Wait so you’re saying that the data didn’t load correctly into OPA ?
r

raghanag

05/25/2023, 7:45 PM
for opal: querying http://localhost:8181/v1/data/schema gets nothing but i see the data at http://localhost:8181/v1/data
o

Or Weis

05/25/2023, 7:46 PM
You might have race condition between your data_sources_config and the data.json - if you’re doing both. What do you mean you see data at /v1/data - do you see the data/schema there ?
r

raghanag

05/25/2023, 7:47 PM
response.json
yes here is the output of /v1/data
o

Or Weis

05/25/2023, 7:49 PM
Well it’s a different path here you can see it’s under
/v1/data/*bundle*/schema
not
/v1/data/schema
r

raghanag

05/25/2023, 7:50 PM
may i ask if i use the same folder structure (basically same repo) to make bundle and used opal, why do i need to use different paths and also http://localhost:8181/v1/data/bundle/data gives nothing
o

Or Weis

05/25/2023, 8:03 PM
Why
<http://localhost:8181/v1/data/bundle/data>
? It’s
<http://localhost:8181/v1/data/bundle/schema>
may i ask if i use the same folder structure (basically same repo) to make bundle and used opal, why do i need to use different paths
In one you have another folder called bundle - they are not the same folder structure
r

raghanag

05/25/2023, 8:08 PM
sorry its typo from me, you are right its http://localhost:8181/v1/data/bundle/schema
so if i keep bundle folder in the repo then opal will not use it as root and prepares the tar file and gives to opa
may i ask what folder structure do i need to keep in the git repo to make it work?
o

Or Weis

05/25/2023, 8:10 PM
If you remove the bundle folder and move the files up, they will be without the “/bundle” prefix in the final result You can also use a manifest files to tell OPAL how to build the bundle https://docs.opal.ac/tutorials/track_a_git_repo#policy-bundle-manifest---serving-dependent-policy-modules
Actually that’s wrong the manifest file - won’t help here.
But you can remove the bundle folder, as I said.
r

raghanag

05/25/2023, 8:12 PM
let me remove bundle folder and try
o

Or Weis

05/25/2023, 8:13 PM
that means that you should have your
data.json
file at the root of the folder.
r

raghanag

05/25/2023, 8:13 PM
removed bundle folder, and here is the dir, does it looks good?
o

Or Weis

05/25/2023, 8:15 PM
alternatively you can change your policy code to use
data.bundle.schema
instead of
data.schema
- if you want to maintain your file structure
🙏🏽 1
r

raghanag

05/25/2023, 8:27 PM
looks like folder structure is very important