https://linen.dev logo
Title
c

Charlie Batten

05/25/2023, 10:52 AM
I'm trying to fetch a bundle.tar.gz from a locally hosted s3-compatible storage (MinIO) and when anonymous access to the bucket is enabled, everything goes fine. Unfortunately, I need anonymous access disabled as part of the project owner's requirements. The credentials I have are an Access Key Id and Secret Access key. Is there a way to get the bundle file with these crendentials?
o

Or Weis

05/25/2023, 10:57 AM
Hi @Charlie Batten - welcome ๐Ÿ™‚ Iโ€™m planning on answering you here, Iโ€™m just in a few meetings at the moment - will reply soon
c

Charlie Batten

05/25/2023, 10:57 AM
Thank you so much - there's no rush at all!
o

Or Weis

05/25/2023, 11:07 AM
Answered on Github, but adding here as well ๐Ÿ™‚ You can use the
OPAL_POLICY_BUNDLE_SERVER_TOKEN
env-var to have the OPAL-server use an โ€œAuthorizationโ€, โ€œBearer {token}โ€ header.
If you need a more advanced authentication scheme, it would require code changes, here: https://github.com/permitio/opal/blob/f1a9c318554c81e2b030e8df74059924cd0400c7/packages/opal-common/opal_common/sources/api_policy_source.py#L116 PRs are welcome, and we can also add it to the roadmap
c

Charlie Batten

05/25/2023, 11:16 AM
Yes, unfortunately, I don't believe I have a way to generate a bearer token for use in that env var. If it does help, our previous deployment was using OPA (without OPAL) with the following arguments:
@echo off
SET AWS_ACCESS_KEY_ID=REDACTED
SET AWS_SECRET_ACCESS_KEY=REDACTED
SET AWS_REGION=uk
opa_windows_amd64.exe run -s -l debug --set "services.s3.url=<http://s3-local>" --set "services.s3.credentials.s3_signing.environment_credentials=null" --set "bundles.authz.service=s3" --set "bundles.authz.resource=open-policy-agent-bundles/env/bundle.tar.gz"
Would there be a way to pass this data through OPAL into OPA?
We've only got those two AWS keys to use as auth
o

Or Weis

05/25/2023, 11:18 AM
Iโ€™m afraid not, as it is not OPA talking to the bundle-server but the OPAL-server. This is a missing feature - would you be willing to try and do a PR for it? Otherwise I can check if @Asaf Cohen / @Ro'e Katz / @Ori Shavit can get to it next week
c

Charlie Batten

05/25/2023, 11:21 AM
I'm afraid that python is far from my specialty and I'm kind of muddling my way around as is ๐Ÿ˜•
o

Or Weis

05/25/2023, 11:24 AM
Got it, and can it wait for early next week?
c

Charlie Batten

05/25/2023, 11:24 AM
Yes of course! That would be brilliant ๐Ÿ˜„
o

Or Weis

05/25/2023, 11:24 AM
Cool. Iโ€™ll get the team on it ๐Ÿ˜‡
c

Charlie Batten

05/25/2023, 11:25 AM
Thank you so so so much
๐Ÿ˜„
o

Or Weis

05/30/2023, 2:10 PM
Hi Charlie - lacking free team members to work on this I ended up doing it myself https://github.com/permitio/opal/pull/472 Can you give it a try before we merge it to master ?
c

Charlie Batten

05/31/2023, 6:49 AM
Hi Or, I gave it a quick go yesterday, but was unsuccessful in making the request. I'll have a play with it today and see if I can get it working ๐Ÿ™‚
๐Ÿ‘ 1
I've made some code changes, and have successfully got the bundle downloading!
Are you happy for me to push them to the branch you created, or would you rather I make a new branch for it?
o

Or Weis

05/31/2023, 8:09 AM
That's awesome! Teamwork ๐Ÿ’ช A new branch and pull request would be better for the CR flow
c

Charlie Batten

05/31/2023, 8:46 AM
I'm trying to push the branch, and am getting this error:
remote: Permission to permitio/opal.git denied to cbat98.fatal: unable to access '<https://github.com/permitio/opal.git/>': The requested URL returned error: 403
a

Asaf Cohen

05/31/2023, 9:04 AM
Hi @Charlie Batten in order to contribute you need to fork the OPAL repo and then open a pull request from a branch on your fork repo to @Or Weisโ€™s branch on the main OPAL repo
Only the core maintainers can open pulls directly on the main OPAL repo
c

Charlie Batten

05/31/2023, 9:05 AM
I see, thanks Asaf. I'll get on that ๐Ÿ™‚
๐Ÿš€ 1
This is my first time PRing OSS ๐Ÿ™‚
a

Asaf Cohen

05/31/2023, 9:06 AM
Really exciting @Charlie Batten !! We are honored your first contribution is to OPAL ๐Ÿ™‚
c

Charlie Batten

05/31/2023, 9:57 AM
PR is up ๐Ÿ™‚
Let me know if there are any more details needed
๐Ÿ’œ 1
o

Or Weis

05/31/2023, 10:05 AM
Will review shortly.
Hi @Charlie Batten looks great - requested a tiny change in the review - fix it and weโ€™d be good to go
๐Ÿ‘ 1
@Daniel Bass please be in touch with @Charlie Batten to send him some SWAG in gratitude to his contribution to the project ๐Ÿ™‚
โค๏ธ 1
๐Ÿ‘ 1
d

Daniel Bass

05/31/2023, 12:08 PM
@Charlie Batten Sending you a DM ๐Ÿ™‚
c

Charlie Batten

05/31/2023, 12:55 PM
Do you have a release cycle for releasing versions of the docker images to docker hub?
o

Or Weis

05/31/2023, 12:58 PM
@Ro'e Katz is aiming for a release next week. In general - on avg. we do once a month.
c

Charlie Batten

05/31/2023, 12:58 PM
Ok thank you ๐Ÿ˜„
๐Ÿ’œ 1