Hi All, I have a opal setup tracking the git repo but when i call the opa endpoint, i am getting the same data since the endpoint http://localhost:8181/v1/data/schema returning

{}

but it is working as expected, here is the playground link https://play.openpolicyagent.org/p/4FSJjGOLpY, we suspect the schema is not being properly built into the policy bundle. How to make sure the schema is being included in the policy bundle. or do i need to extract the schema and put it as part of the input query.

Yoy can look at the logs and of course the final result in OPA to see what bundle was created

I can see the result when i query http://localhost:8181/v1/data and http://localhost:8181/v1/policies but not http://localhost:8181/v1/data/schema

In your playground example your code reads

input.schema

- that means you are loading the schema from the input query itself, and not from the data loaded into OPA by OPAL

i have 2 playgrounds one that schema loads from input and one from data.json input query: https://play.openpolicyagent.org/p/M7yZNWcWzx data.json: https://play.openpolicyagent.org/p/4FSJjGOLpY

Okay when you look at your OPA after you loaded the data does its /data look like the example ? i.e. has a non -empty schema field?

yes when i query http://localhost:8181/v1/data it gives me back the below response

Well so it seems the data was loaded as expected by OPAL, so either your policy is wrong, or the query

hmm it seems working in playground right?

Yes, but maybe for example you used the wrong playground policy , you have two

its the same policy except where we read the schema from, i used the data.schema and tried to query the http://localhost:8181/v1/data/schema and also tried testing OPA

curl --location --request POST '<http://127.0.0.1:8181/v1/data/graphqlapi/authz>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "query": "query { environmentTags }",
    "user": "lonewolf",
    "variables": {}
    }
}'

I’m guessing it’;s unrelated to OPAL, and is just the input itself or query. How about trying to run this with OPA without OPAL, and see if it works or not

I just put the rbac.rego and data.json (which contains the schema) in under the directory like below and used

opa build -b bundle

├── bundle │ ├── data.json │ └── graphqlapi │ └── authz │ └── rbac.rego (edited) and followed the docker-compose at https://www.openpolicyagent.org/docs/latest/graphql-api-authorization/ its working as expected. i.e., when i query with

lonewolf

i get

allow

as

true

and with other users i get

allow

as

false

but when i use opal (just pushed my directory to git and let the opal-server tracks and clones it) i get the

allow

as

false

for

lonewolf

user

curl --location --request POST '<http://127.0.0.1:8181/v1/data/graphqlapi/authz>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "query": "query { environmentTags }",
    "user": "lonewolf",
    "variables": {}
    }
}'

Hi @raghanag - I’m sorry but I’m not available for a call today. This doesn’t seem to be an OPAL issue. As you yourself say that the data and policy load as you expect into OPA. I suggest comparing the state that you have in the manual deployment you just did and the one you are doing with OPAL - I’d suspect that you’d discover that you either used different data, a different query, or a different policy

@Or Weis I used the same data.json, rbac.rego and only have 2 files. and here is the directory structure, as i said earlier i used

opa

cli

build

command to make a bundle and used it in the

docker-compose.yaml

, and for

opal

pushed my files to

git

and configured the

opal-server

And for stand-alone opa, I can see the data when i query http://localhost:8181/v1/data/schema but with opal i get empty response

{}

Wait so you’re saying that the data didn’t load correctly into OPA ?

for opal: querying http://localhost:8181/v1/data/schema gets nothing but i see the data at http://localhost:8181/v1/data

You might have race condition between your data_sources_config and the data.json - if you’re doing both. What do you mean you see data at /v1/data - do you see the data/schema there ?

response.json

Well it’s a different path here you can see it’s under

/v1/data/*bundle*/schema

not

/v1/data/schema

may i ask if i use the same folder structure (basically same repo) to make bundle and used opal, why do i need to use different paths and also http://localhost:8181/v1/data/bundle/data gives nothing

Why

<http://localhost:8181/v1/data/bundle/data>

? It’s

<http://localhost:8181/v1/data/bundle/schema>

sorry its typo from me, you are right its http://localhost:8181/v1/data/bundle/schema

If you remove the bundle folder and move the files up, they will be without the “/bundle” prefix in the final result You can also use a manifest files to tell OPAL how to build the bundle https://docs.opal.ac/tutorials/track_a_git_repo#policy-bundle-manifest---serving-dependent-policy-modules

let me remove bundle folder and try

that means that you should have your

data.json

file at the root of the folder.

removed bundle folder, and here is the dir, does it looks good?

alternatively you can change your policy code to use

data.bundle.schema

instead of

data.schema

- if you want to maintain your file structure

looks like folder structure is very important