OPAL server sourcing different policies & external datasources per OPAL client?

[leefernandes]

Hi, we're considering OPAL in review as a potential tool to administrate external datasourcing for a system where many APIs are codeployed with OPA agents, and each agent has it's own policy & external datasource configuration.

Based on the architectural diagrams it appears that we would be able to deploy a single opal-server with opal-clients codeployed with the open policy agents, which is great. What's unclear when looking at examples is how to configure individual (isolated) policy locations, and external datasources per opal-client.

Based on configuration details it looks like opal-server is limited to specifying a single policy repo for all opal-clients. Is this an accurate assessment?

      # the git repo hosting our policy
      # - if this repo is not public, you can pass an ssh key via `OPAL_POLICY_REPO_SSH_KEY`)
      # - the repo we pass in this example is *public* and acts as an example repo with dummy rego policy
      # - for more info, see: https://docs.opal.ac/tutorials/track_a_git_repo
      - OPAL_POLICY_REPO_URL=https://github.com/permitio/opal-example-policy-repo

I'm hoping for granular policy sourcing where an opal-server is sourcing N opal-clients each with their own policy sources.

I have the same question for external datasources. Can they be configured individually per opal-client? The example configuration doesn't demonstrate a way to associate a client to datasource configuration, giving me the impression that opal-server serves up the same external datasources to all opal-clients. Is this an accurate assesment?

      # configures from where the opal client should initially fetch data (when it first goes up, after disconnection, etc).
      # the data sources represents from where the opal clients should get a "complete picture" of the data they need.
      # after the initial sources are fetched, the client will subscribe only to update notifications sent by the server.
      - OPAL_DATA_CONFIG_SOURCES={"config":{"entries":[{"url":"http://opal_server:7002/policy-data","topics":["policy_data"],"dst_path":"/static"}]}}

Is it possible to configure an opal-server to serve N opal-clients where policy source & external data sources are custom per opal-client? If so is there documentation and/or examples of this?

Much appreciated.

[leefernandes]

Ok, I think I've found the answer to sourcing custom policies per opal-client here.

OPAL client can subscribe to multiple policy topics, topics are based on paths where each path is a directory in the policy git repository (relative path to the root of the repository).

The policy directories the client will subscribe to are specified by the environment variable OPAL_POLICY_SUBSCRIPTION_DIRS passed to the client. The default is "." meaning the root directory in the branch (i.e: essentially all .rego and data.json files in the branch).

Is there something similar in OPAL-server for controlling which external datasources are pushed to individual opal-clients?

[leefernandes]

Ok, I think I've found the answer for configuring clients with targeted data sources here.

It looks like opal-clients are configured to subscribe to the opal-server's data topics.

Step 4: Client config - data topics (Optional)

You can configure which topics for data updates the client will subscribe to. This is great if you want more granularity in your data model, for example:

Enabling multi-tenancy: you deploy each customer (tenant) with his own OPA agent, each agent's OPAL client will subscribe only to the relevant tenant's topic.

[orweis]

Yes topics, are a key part of what you're looking for, and would be the main way you set different data subscriptions for different clients.

In addition the primary feature you're probably looking for is OPAL scopes: https://docs.opal.ac/overview/scopes
These enable you to set a whole different config with different repository even for each client.