https://linen.dev logo
Join Slack
Powered by
This message was deleted.
# opal
s
This message was deleted.
a
yes you are supposed to use the 
OPAL_INLINE_OPA_CONFIG
variable
can you share your configuration?
o
@Asaf Cohen
Copy code
2023-07-15T14:46:24.432789+0000 | 15 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <ws://opal_server:7002/ws>
2023-07-15T14:46:24.492944+0000 | 15 | opal_client.policy.updater              | INFO  | Connected to server
2023-07-15T14:46:24.493178+0000 | 15 | opal_client.policy.updater              | INFO  | Refetching policy code (full bundle)
2023-07-15T14:46:24.493437+0000 | 15 | opal_client.policy.fetcher              | INFO  | Fetching policy bundle from <http://opal_server:7002/policy>
2023-07-15T14:46:24.518211+0000 | 15 | opal_client.policy.fetcher              | INFO  | Fetched valid bundle, id: 94c88a2bba339947b0e76f0afb7d5d102cb44788
2023-07-15T14:46:24.518649+0000 | 15 | opal_client.policy.updater              | INFO  | Got policy bundle with 2 rego files, 1 data files, commit hash: '94c88a2bba339947b0e76f0afb7d5d102cb44788'
2023-07-15T14:46:24.521674+0000 | 15 | opal_client.policy_store.opa_client     |WARNING | Opa connection error: ContentTypeError(RequestInfo(url=URL('<http://localhost:8181/v1/policies>'), method='GET', headers=<CIMultiDictProxy('Host': 'localhost:8181', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'User-Agent': 'Python/3.10 aiohttp/3.8.4')>, real_url=URL('<http://localhost:8181/v1/policies'))>, (), message='Attempt to decode JSON with unexpected mimetype: ', headers=<CIMultiDictProxy()>)
2023-07-15T14:46:26.528447+0000 | 15 | opal_client.policy_store.opa_client     |WARNING | Opa connection error: ContentTypeError(RequestInfo(url=URL('<http://localhost:8181/v1/policies>'), method='GET', headers=<CIMultiDictProxy('Host': 'localhost:8181', 'Accept': '*/*', 'Accept-Encoding': 'gzip, deflate', 'User-Agent': 'Python/3.10 aiohttp/3.8.4')>, real_url=URL('<http://localhost:8181/v1/policies'))>, (), message='Attempt to decode JSON with unexpected mimetype: ', headers=<CIMultiDictProxy()>)
2023-07-15T14:46:26.529665+0000 | 15 | opal_client...base_policy_store_client  |ERROR  | OPA transaction failed, transaction id=94c88a2bba339947b0e76f0afb7d5d102cb44788, actions=['set_policies'], error=RetryError(<Future at 0x7f413af86890 state=finished raised ContentTypeError>)
2023-07-15T14:46:26.534528+0000 | 15 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Connection was terminated.
2023-07-15T14:46:26.534858+0000 | 15 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Closing RPC client
2023-07-15T14:46:26.535486+0000 | 15 | opal_client.policy.updater              | INFO  | Disconnected from server
2023-07-15T14:46:26.536081+0000 | 15 | fastapi_websocket_rpc.websocket_rpc_c...|ERROR  | RPC Error
Traceback (most recent call last):
Copy code
2023-07-15T14:28:07.670527+0000 | 15 | fastapi_websocket_rpc.websocket_rpc_c...|ERROR  | RPC Error
Traceback (most recent call last):

  File "/usr/local/lib/python3.10/site-packages/tenacity/_asyncio.py", line 50, in __call__
    result = await fn(*args, **kwargs)
                   │   │       └ {}
                   │   └ (<opal_client.policy_store.opa_client.OpaClient object at 0x7f86f9045a80>,)
                   └ <function OpaClient.get_policies at 0x7f86f9017760>
  File "/usr/local/lib/python3.10/site-packages/opal_client-0.7.3-py3.10.egg/opal_client/policy_store/opa_client.py", line 508, in get_policies
    result = await opa_response.json()
                   │            └ <function ClientResponse.json at 0x7f86f95335b0>
                   └ <ClientResponse(<http://localhost:8181/v1/policies>) [400 Bad Request]>
                     <CIMultiDictProxy()>
  File "/usr/local/lib/python3.10/site-packages/aiohttp/client_reqrep.py", line 1104, in json
    raise ContentTypeError(
          └ <class 'aiohttp.client_exceptions.ContentTypeError'>

aiohttp.client_exceptions.ContentTypeError: 0, message='Attempt to decode JSON with unexpected mimetype: ', url=URL('<http://localhost:8181/v1/policies>')


The above exception was the direct cause of the following exception:
It looks like the OPAL still calling http to connect OPA, not https.
o
I.e. export OPAL_POLICY_STORE_URL=https://localhost:8181
o
Hi, do you have encountered such error before? Does it mean the OPAL server and OPAL client haven't used the same version openssl to generate key or certification? I ran the openssl command in the same server and generate the files. I don't know why we got such issue.
Copy code
opa-opal_client-1        | 2023-07-16T03:38:40.751134+0000 | 14 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | Trying server - <wss://opal_server:7002/ws>
opa-opal_server-1        | 2023-07-16T03:38:40.758776+0000 | 11 | uvicorn.protocols.http.httptools_impl   |WARNING | Invalid HTTP request received.
opa-opal_client-1        | 2023-07-16T03:38:40.760194+0000 | 14 | fastapi_websocket_rpc.websocket_rpc_c...| INFO  | RPC Connection failed - [SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1007)
Are the command incorrect? I copied them from the example.
Copy code
openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt -days 365
openssl req -newkey rsa:4096 -nodes -keyout client.key -out client.csr
openssl x509 -req -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt -days 365
p
Hi, thanks for reaching out 😇; It seems most of the team is AFK(😴) at the moment, so our response might be delayed.
a
Hi @Oscar, are you using the same version of opal server and opal client? this is required.
o
Copy code
[opa@ypvirtualserver06 opa]$ sudo docker images
REPOSITORY                  TAG       IMAGE ID       CREATED         SIZE
permitio/opal-server        latest    6e07435c5b51   2 weeks ago     442MB
permitio/opal-client        latest    dc657b771347   2 weeks ago     398MB
I use docker compose to install the OPAL. All version are the latest.
Copy code
image: permitio/opal-server:latest
image: permitio/opal-client:latest
Or I shall specify the version for both server and client in the yml file?
a
Just checking i understand the context: • Is it: ◦ you are running opal-client and opal-server (both latest) ◦ you are using secure mode (meaning you configured the private/public key to generate trust between them) ◦ And you got this error? • Or is this error generated in the context of querying OPA with TLS? Can you share your docker compose file?
I see, you are using self-signed certificate. Maybe you are generating your certificate with a different ssl version? What are the commands you used for generating your certificate?
@Ro'e Katz maybe you can assist here?
o
This is for OPA.
Copy code
openssl genrsa -out private.key 2048
openssl req -new -x509 -sha256 -key private.key -out public.crt -days 365
This is for OPAL
Copy code
openssl req -x509 -newkey rsa:4096 -nodes -keyout server.key -out server.crt -days 365
openssl req -newkey rsa:4096 -nodes -keyout client.key -out client.csr
openssl x509 -req -in client.csr -CA server.crt -CAkey server.key -CAcreateserial -out client.crt -days 365
I set up TLS for both OPA and OPAL.
Copy code
[opa@ypvirtualserver06 opa]$ curl <http://localhost:8181/>
Client sent an HTTP request to an HTTPS server.
[opa@ypvirtualserver06 opa]$ curl -k <https://localhost:8181/v1/data>
{"result":{}}
[opa@ypvirtualserver06 opa]$

[opa@ypvirtualserver06 opa]$ curl <https://localhost:7002/>
curl: (35) SSL received a record that exceeded the maximum permissible length.
[opa@ypvirtualserver06 opa]$ curl <http://localhost:7002/>
{"status":"ok"}

[opa@ypvirtualserver06 opa]$ curl <https://localhost:7766/>
curl: (35) SSL received a record that exceeded the maximum permissible length.
[opa@ypvirtualserver06 opa]$ curl <http://localhost:7766/>
{"status":"unavailable"}
It looks the OPA is running as HTTPS. But the OPAL server and client are not correct.
a
@Oscar can you try to follow this tutorial and generate your certificates like shown here: https://github.com/permitio/opal/pull/104
i am noticing the key in the example is shorter - 2048 and not 4096
maybe there is a limitation in the ssl library
r
Hi @Oscar, AFAIU, You’re trying to do 2 different things: Secure the connection between OPAL client & OPA To do so you have to configure OPA itself to use TLS, which I see you’ve already taken care of using 
OPAL_INLINE_OPA_CONFIG
. But you also have to make OPAL use TLS when connecting to OPA - this is a relatively new feature. To use it, set 
OPAL_POLICY_STORE_AUTH_TYPE=tls
and then set 
POLICY_STORE_TLS_CLIENT_CERT
, 
POLICY_STORE_TLS_CLIENT_KEY
& 
POLICY_STORE_TLS_CA
accordingly (all of which expect paths to files). But please notice that if you use OPA inline - there’s no real need to secure its connection with OPAL (they’re running in the same container), unless of course you have other consumers of OPA which communicate over the internet - in that case, setting TLS for OPA makes sense. Secure the connection between OPAL client & OPAL server I think there’s some kind of confusion here - OPAL server doesn’t support TLS. (We never bothered because so far users either deployed both the server & client in the same cloud environment (thus securing the connection isn’t that crucial, or can be achieved by some kind of service mesh), Or they deployed the client & server on different environments, but the server’s TLS is terminated by some kind of external load balancer (which is usually much more convenient because it handles TLS with the right certificates for multiple services under the same domain). For that second scenario, the client supports enabling self-signed certificates or configuring a custom CA.) However, OPAL server does support secure mode in which clients are being authenticated. to use that feature please refer to this manual, and this example script Hope that helps, Let us know if you have further questions (I would advice trying out those features one by one rather than at the same time!)
1
o
@Ro'e Katz Thanks
p
Hi, thanks for reaching out 😇; It seems most of the team is AFK(😴) at the moment, so our response might be delayed.
Open in Slack
PreviousNext
Powered by