https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
o
Yoy can look at the logs and of course the final result in OPA to see what bundle was created
r
even if i keep the schema in the input query it works in playground but not if i query http://127.0.0.1:8181/v1/data/graphqlapi/authz playground: https://play.openpolicyagent.org/p/M7yZNWcWzx
o
In your playground example your code reads 
input.schema
- that means you are loading the schema from the input query itself, and not from the data loaded into OPA by OPAL
r
i have 2 playgrounds one that schema loads from input and one from data.json input query: https://play.openpolicyagent.org/p/M7yZNWcWzx data.json: https://play.openpolicyagent.org/p/4FSJjGOLpY
both of them are working as expected in playground but when i keep the same in git repo and use opal to push it to opa and query the http://127.0.0.1:8181/v1/data/graphqlapi/authz i always get 
allow
as 
false
o
Okay when you look at your OPA after you loaded the data does its /data look like the example ? i.e. has a non -empty schema field?
r
yes when i query http://localhost:8181/v1/data it gives me back the below response
o
Well so it seems the data was loaded as expected by OPAL, so either your policy is wrong, or the query
r
hmm it seems working in playground right?
o
Yes, but maybe for example you used the wrong playground policy , you have two
r
its the same policy except where we read the schema from, i used the data.schema and tried to query the http://localhost:8181/v1/data/schema and also tried testing OPA
Copy code
curl --location --request POST '<http://127.0.0.1:8181/v1/data/graphqlapi/authz>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "query": "query { environmentTags }",
    "user": "lonewolf",
    "variables": {}
    }
}'
the issue is if its working in playground why not the same policy in opal+opa
o
I’m guessing it’;s unrelated to OPAL, and is just the input itself or query. How about trying to run this with OPA without OPAL, and see if it works or not
r
I just put the rbac.rego and data.json (which contains the schema) in under the directory like below and used 
opa build -b bundle
├── bundle │ ├── data.json │ └── graphqlapi │ └── authz │ └── rbac.rego (edited) and followed the docker-compose at https://www.openpolicyagent.org/docs/latest/graphql-api-authorization/ its working as expected. i.e., when i query with 
lonewolf
i get 
allow
as 
true
and with other users i get 
allow
as 
false
but when i use opal (just pushed my directory to git and let the opal-server tracks and clones it) i get the 
allow
as 
false
for 
lonewolf
user
Copy code
curl --location --request POST '<http://127.0.0.1:8181/v1/data/graphqlapi/authz>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "input": {
        "query": "query { environmentTags }",
    "user": "lonewolf",
    "variables": {}
    }
}'
@Or Weis sorry to bother you, pls let me know if you are able to jump on quick zoom call
o
Hi @raghanag - I’m sorry but I’m not available for a call today. This doesn’t seem to be an OPAL issue. As you yourself say that the data and policy load as you expect into OPA. I suggest comparing the state that you have in the manual deployment you just did and the one you are doing with OPAL - I’d suspect that you’d discover that you either used different data, a different query, or a different policy
r
@Or Weis I used the same data.json, rbac.rego and only have 2 files. and here is the directory structure, as i said earlier i used 
opa
cli 
build
command to make a bundle and used it in the 
docker-compose.yaml
, and for 
opal
pushed my files to 
git
and configured the 
opal-server
And for stand-alone opa, I can see the data when i query http://localhost:8181/v1/data/schema but with opal i get empty response 
{}
o
Wait so you’re saying that the data didn’t load correctly into OPA ?
r
for opal: querying http://localhost:8181/v1/data/schema gets nothing but i see the data at http://localhost:8181/v1/data
o
You might have race condition between your data_sources_config and the data.json - if you’re doing both. What do you mean you see data at /v1/data - do you see the data/schema there ?
r
yes here is the output of /v1/data
o
Well it’s a different path here you can see it’s under 
/v1/data/*bundle*/schema
not 
/v1/data/schema
r
may i ask if i use the same folder structure (basically same repo) to make bundle and used opal, why do i need to use different paths and also http://localhost:8181/v1/data/bundle/data gives nothing
o
Why 
<http://localhost:8181/v1/data/bundle/data>
? It’s 
<http://localhost:8181/v1/data/bundle/schema>
may i ask if i use the same folder structure (basically same repo) to make bundle and used opal, why do i need to use different paths
In one you have another folder called bundle - they are not the same folder structure
r
sorry its typo from me, you are right its http://localhost:8181/v1/data/bundle/schema
so if i keep bundle folder in the repo then opal will not use it as root and prepares the tar file and gives to opa
may i ask what folder structure do i need to keep in the git repo to make it work?
o
If you remove the bundle folder and move the files up, they will be without the “/bundle” prefix in the final result You can also use a manifest files to tell OPAL how to build the bundle https://docs.opal.ac/tutorials/track_a_git_repo#policy-bundle-manifest---serving-dependent-policy-modules
Actually that’s wrong the manifest file - won’t help here.
But you can remove the bundle folder, as I said.
r
let me remove bundle folder and try
o
that means that you should have your 
data.json
file at the root of the folder.
r
removed bundle folder, and here is the dir, does it looks good?
o
alternatively you can change your policy code to use 
data.bundle.schema
instead of 
data.schema
- if you want to maintain your file structure
🙏🏽 1
r
looks like folder structure is very important
Open in Slack
PreviousNext
Powered by