This message was deleted Permit #opal

Join Slack

This message was deleted.

# opal

Slackbot

11/27/2022, 8:38 AM

This message was deleted.

Filip

11/27/2022, 8:40 AM

Hi @Priya reddy ☺️ Someone will be with you shortly to address your question 😎

Priya reddy

11/27/2022, 8:41 AM

Thanks Filip, sure no hurry at all! This can wait and it's Sunday too 🙂

Or Weis

11/27/2022, 8:53 AM

The short answer is topics - clients can subscribe to (multiple) whichever topics you decide on- a topic can designate a single client or a set of clients. Note there are different topics for data and policy Checkout the guide here. https://docs.opal.ac/getting-started/running-opal/as-docker-image/run-opal#step-4-client-config---data-topics-optional

Or Weis

11/27/2022, 8:53 AM

I’ll let @Asaf Cohen elaborate if needed

Omer Zuarets

11/27/2022, 9:19 AM

Hey @Priya reddy, The long answer is that you can specify the permitted topics for the OPAL client in OPAL_DATA_TOPICS environment variable, these are the topics that the sidecar will subscribe to. You can also enforce that in the opal server auth level. When you generate a “client” token using POST /token , you can add “*permitted_topics*” to the claims object, which is a list of permitted topics for that specific client. Note that if you provide unauthorized data topic in the client OPAL_DATA_TOPICS environment variable, you will get Unauthorized error from opal server for trying to subscribe to unauthorized topic. You can see the actual function that validates it in: https://github.com/permitio/opal/blob/master/packages/opal-common/opal_common/authentication/authz.py#L30 .

Priya reddy

11/27/2022, 7:49 PM

Thank you Weis and Omer for the quick reply. I will try that out and will update.

🤘 1

Priya reddy

11/28/2022, 6:43 AM

Hi Omer, Weis can I can configure azure AD token for the jwt issuer and authenticate here? https://github.com/permitio/opal/blob/master/docker/docker-compose-with-security.yml#L78

Omer Zuarets

11/28/2022, 7:04 AM

Hey @Priya reddy, Yes, you can, you will need to provide the following parameters: OPAL_AUTH_PRIVATE_KEY OPAL_AUTH_PRIVATE_KEY_FORMAT OPAL_AUTH_PRIVATE_KEY_PASSPHRASE ( optional, necessary only if the private key has a passphrase ) OPAL_AUTH_PUBLIC_KEY OPAL_AUTH_PUBLIC_KEY_FORMAT OPAL_AUTH_JWT_ALGORITHM OPAL_AUTH_JWT_AUDIENCE OPAL_AUTH_JWT_ISSUER OPAL_MASTER_TOKEN - basically this token is used to authenticate the request for generating the signed JWT tokens ( POST /token request ), you should send it as a Bearer token when calling this request.

Asaf Cohen

11/28/2022, 7:07 AM

You can define the same audience, jwt issuer and public key as used by azure ad, and then sign tokens with azure ad. However you need to make sure they contain the set of claims used by opal jwts (create one using opal and inspect)

Priya reddy

11/28/2022, 7:30 AM

Thank you for the quick response, I am trying it out.

💪 1

Priya reddy

11/29/2022, 8:08 PM

Hi Omer Asaf , thank you I was able to configure with security authenticating with azure AD. I am still unable to configure multi tenancy for my clients. For now I removed the authentication part just trying out pub-sub client-server policy and data updates So here is the config sources for my server

Copy code

- name: OPAL_DATA_CONFIG_SOURCES
              value: '{"config":{"entries":[{"url":"<http://opal-server.opal.svc.cluster.local:7002/topic1>","topics":["topic1"],"dst_path":"/tenant/tenant1"}]}}'

and my client

Copy code

- name: OPAL_DATA_TOPICS
    value: topic1  
  - name: OPAL_POLICY_SUBSCRIPTION_DIRS
    value: tenant/tenant1

For now I am just trying to configure with one client and if it works I will apply it for multiple clients. When I have the policy-data in this way my client is able to subscribe

Copy code

- name: OPAL_DATA_CONFIG_SOURCES
              value: '{"config":{"entries":[{"url":"<http://opal-server.opal.svc.cluster.local:7002/policy-data>","topics":["policy_data"],"dst_path":"/static"}]}}'

It would be nice if there are examples on how to configure with multiple clients

Asaf Cohen

11/29/2022, 8:11 PM

@Ori Shavit can you please help here?

Asaf Cohen

11/30/2022, 4:41 PM

Hey @Priya reddy, Check out this section of the docs: https://docs.opal.ac/tutorials/track_a_git_repo#2-opal-client-subscribes-to-policy-update-notifications You can set up multi-tenancy for policy by having each tenant policies in a separate directory in your policy repo and utilizing OPAL_POLICY_SUBSCRIPTION_DIRS in each client to select the policy for each of these repos. If you need even more advanced policy separation (separate git repo for each customer, most likely you don't need it and can simply use the tutorial above) we have a more advanced feature currently in beta called OPAL scopes that you can try out (and the author @Ori Shavit will gladly help you set up)

Open in Slack

Previous Next