This message was deleted.
# opal
s
This message was deleted.
o
Hi @Charlie Batten - welcome ๐Ÿ™‚ Iโ€™m planning on answering you here, Iโ€™m just in a few meetings at the moment - will reply soon
c
Thank you so much - there's no rush at all!
o
Answered on Github, but adding here as well ๐Ÿ™‚ You can use the
OPAL_POLICY_BUNDLE_SERVER_TOKEN
env-var to have the OPAL-server use an โ€œAuthorizationโ€, โ€œBearer {token}โ€ header.
If you need a more advanced authentication scheme, it would require code changes, here: https://github.com/permitio/opal/blob/f1a9c318554c81e2b030e8df74059924cd0400c7/packages/opal-common/opal_common/sources/api_policy_source.py#L116 PRs are welcome, and we can also add it to the roadmap
c
Yes, unfortunately, I don't believe I have a way to generate a bearer token for use in that env var. If it does help, our previous deployment was using OPA (without OPAL) with the following arguments:
Copy code
@echo off
SET AWS_ACCESS_KEY_ID=REDACTED
SET AWS_SECRET_ACCESS_KEY=REDACTED
SET AWS_REGION=uk
opa_windows_amd64.exe run -s -l debug --set "services.s3.url=<http://s3-local>" --set "services.s3.credentials.s3_signing.environment_credentials=null" --set "bundles.authz.service=s3" --set "bundles.authz.resource=open-policy-agent-bundles/env/bundle.tar.gz"
Would there be a way to pass this data through OPAL into OPA?
We've only got those two AWS keys to use as auth
o
Iโ€™m afraid not, as it is not OPA talking to the bundle-server but the OPAL-server. This is a missing feature - would you be willing to try and do a PR for it? Otherwise I can check if @Asaf Cohen / @Ro'e Katz / @Ori Shavit can get to it next week
c
I'm afraid that python is far from my specialty and I'm kind of muddling my way around as is ๐Ÿ˜•
o
Got it, and can it wait for early next week?
c
Yes of course! That would be brilliant ๐Ÿ˜„
o
Cool. Iโ€™ll get the team on it ๐Ÿ˜‡
c
Thank you so so so much
๐Ÿ˜„
o
Hi Charlie - lacking free team members to work on this I ended up doing it myself https://github.com/permitio/opal/pull/472 Can you give it a try before we merge it to master ?
c
Hi Or, I gave it a quick go yesterday, but was unsuccessful in making the request. I'll have a play with it today and see if I can get it working ๐Ÿ™‚
๐Ÿ‘ 1
I've made some code changes, and have successfully got the bundle downloading!
Are you happy for me to push them to the branch you created, or would you rather I make a new branch for it?
o
That's awesome! Teamwork ๐Ÿ’ช A new branch and pull request would be better for the CR flow
c
I'm trying to push the branch, and am getting this error:
Copy code
remote: Permission to permitio/opal.git denied to cbat98.fatal: unable to access '<https://github.com/permitio/opal.git/>': The requested URL returned error: 403
a
Hi @Charlie Batten in order to contribute you need to fork the OPAL repo and then open a pull request from a branch on your fork repo to @Or Weisโ€™s branch on the main OPAL repo
Only the core maintainers can open pulls directly on the main OPAL repo
c
I see, thanks Asaf. I'll get on that ๐Ÿ™‚
๐Ÿš€ 1
This is my first time PRing OSS ๐Ÿ™‚
a
Really exciting @Charlie Batten !! We are honored your first contribution is to OPAL ๐Ÿ™‚
c
PR is up ๐Ÿ™‚
Let me know if there are any more details needed
๐Ÿ’œ 1
o
Will review shortly.
Hi @Charlie Batten looks great - requested a tiny change in the review - fix it and weโ€™d be good to go
๐Ÿ‘ 1
@Daniel Bass please be in touch with @Charlie Batten to send him some SWAG in gratitude to his contribution to the project ๐Ÿ™‚
โค๏ธ 1
๐Ÿ‘ 1
d
@Charlie Batten Sending you a DM ๐Ÿ™‚
c
Do you have a release cycle for releasing versions of the docker images to docker hub?
o
@Ro'e Katz is aiming for a release next week. In general - on avg. we do once a month.
c
Ok thank you ๐Ÿ˜„
๐Ÿ’œ 1