OPAL Configuration Variables
Provided on this page is a full list of all the OPAL configuration variabls for the OPAL Client and the OPAL Server. Please use this table as a reference.
Common OPAL Configuration Variables
| Variables | Description | Example |
|---|---|---|
| ALLOWED_ORIGINS | ||
| PROCESS_NAME | The process name to be shown in logs. | |
| LOG_FORMAT_INCLUDE_PID | ||
| LOG_FORMAT | ||
| LOG_TRACEBACK | ||
| LOG_SERIALIZE | Serialize log messages into json format (useful for log aggregation platforms) | |
| LOG_SHOW_CODE_LINE | ||
| LOG_LEVEL | ||
| LOG_MODULE_EXCLUDE_LIST | ||
| LOG_MODULE_INCLUDE_LIST | ||
| LOG_PATCH_UVICORN_LOGS | Takeover UVICORN's logs so they appear in the main logger. | |
| LOG_TO_FILE | ||
| LOG_FILE_PATH | Path to define where to save the log file. | |
| LOG_FILE_ROTATION | ||
| LOG_FILE_RETENTION | ||
| LOG_FILE_COMPRESSION | ||
| LOG_FILE_SERIALIZE | Serialize log messages in file into json format (useful for log aggregation platforms) | |
| LOG_FILE_LEVEL | ||
| LOG_DIAGNOSE | Include diagnosis in log messages | |
| STATISTICS_ENABLED | Collect statistics about OPAL clients. | |
| STATISTICS_ADD_CLIENT_CHANNEL | The topic to update about the new OPAL clients connection. | |
| STATISTICS_REMOVE_CLIENT_CHANNEL | The topic to update about the OPAL clients disconnection. | |
| FETCH_PROVIDER_MODULES | ||
| FETCHING_WORKER_COUNT | ||
| FETCHING_CALLBACK_TIMEOUT | ||
| FETCHING_ENQUEUE_TIMEOUT | ||
| GIT_SSH_KEY_FILE | ||
| CLIENT_SELF_SIGNED_CERTIFICATES_ALLOWED | Whether or not OPAL Client will trust HTTPs connections protected by self signed certificates. Not to be used in Production. | |
| CLIENT_SSL_CONTEXT_TRUSTED_CA_FILE | A path to your own CA public certificate file (usually a .crt or a .pem file). Certificates signed by this issuer will be trusted by OPAL Client. Not to be used in Production. | |
| AUTH_PUBLIC_KEY_FORMAT | ||
| AUTH_PUBLIC_KEY | ||
| AUTH_JWT_ALGORITHM | JWT algorithm. See possible values here. | |
| AUTH_JWT_AUDIENCE | ||
| AUTH_JWT_ISSUER |
OPAL Server Configuration Variables
| Variables | Description | Example |
|---|---|---|
| AUTH_JWT_ISSUER | ||
| AUTH_JWT_ISSUER | ||
| CLIENT_LOAD_LIMIT_NOTATION | If supplied, rate limit would be enforced on the servers websocket endpoint. Format is limits-style notation (e.g. 10 per second). Learn more. | |
| BROADCAST_URI | ||
| BROADCAST_CHANNEL_NAME | ||
| BROADCAST_CONN_LOSS_BUGFIX_EXPERIMENT_ENABLED | ||
| AUTH_PRIVATE_KEY_FORMAT | ||
| AUTH_PRIVATE_KEY_PASSPHRASE | ||
| AUTH_PRIVATE_KEY | ||
| AUTH_JWKS_URL | ||
| AUTH_JWKS_STATIC_DIR | ||
| AUTH_MASTER_TOKEN | ||
| POLICY_SOURCE_TYPE | Set your policy source, this can be GIT / API. | |
| POLICY_REPO_URL | Set your remote repo URL - this is relevant only to GIT source type E.g. view example. | |
| POLICY_BUNDLE_URL | Set your API bundle URL, this is relevant only to API source type. | |
| POLICY_REPO_CLONE_PATH | Base path to create local git folder inside this path, that manages policy change. | |
| POLICY_REPO_CLONE_FOLDER_PREFIX | Prefix for the local git folder. | |
| POLICY_REPO_REUSE_CLONE_PATH | Set if OPAL server should use a fixed clone path (and reuse if it already exists) instead of randomizing its suffix on each run. | |
| POLICY_REPO_MAIN_BRANCH | ||
| POLICY_REPO_SSH_KEY | ||
| POLICY_REPO_MANIFEST_PATH | Path of the directory holding the '.manifest' file (updated way), or of the manifest file itself (old way). Repo's root is used by default. | |
| POLICY_REPO_CLONE_TIMEOUT | If set to 0, waits forever until successful clone. | |
| LEADER_LOCK_FILE_PATH | ||
| POLICY_BUNDLE_SERVER_TYPE | HTTP (authenticated with bearer token, or nothing), AWS-S3(Authenticated with AWS REST Auth | AWS-S3 |
| POLICY_BUNDLE_SERVER_TOKEN_ID | The Secret Token Id (AKA user id, AKA access-key) sent to the API bundle server. | AKIAIOSFODNN7EXAMPLE |
| POLICY_BUNDLE_SERVER_TOKEN | The Secret Token (AKA password, AKA secret-key) sent to the API bundle server. | wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY |
| POLICY_BUNDLE_TMP_PATH | Path for temp policy file. It needs to be writable. | |
| POLICY_BUNDLE_GIT_ADD_PATTERN | File pattern to add files to all the git default files. | |
| REPO_WATCHER_ENABLED | ||
| PUBLISHER_ENABLED | ||
| BROADCAST_KEEPALIVE_INTERVAL | The time to wait between sending two consecutive broadcaster keepalive messages. | |
| BROADCAST_KEEPALIVE_TOPIC | The topic on which we should send broadcaster keepalive messages. | |
| MAX_CHANNELS_PER_CLIENT | Max number of records per client, after this number it will not be added to statistics, relevant only if STATISTICS_ENABLED. | |
| STATISTICS_WAKEUP_CHANNEL | The topic a waking-up OPAL server uses to notify others he needs their statistics data. | |
| STATISTICS_STATE_SYNC_CHANNEL | The topic other servers with statistics provide their state to a waking-up server. | |
| ALL_DATA_TOPIC | Top level topic for data. | |
| ALL_DATA_ROUTE | ||
| ALL_DATA_URL | URL for all data config [If you choose to have it all at one place]. | |
| DATA_CONFIG_ROUTE | URL to fetch the full basic configuration of data. | |
| DATA_CALLBACK_DEFAULT_ROUTE | Exists as a sane default in case the user did not set OPAL_DEFAULT_UPDATE_CALLBACKS. | |
| DATA_CONFIG_SOURCES | Configuration of data sources by topics. | |
| DATA_UPDATE_TRIGGER_ROUTE | URL to trigger data update events. | |
| POLICY_REPO_WEBHOOK_SECRET | ||
| POLICY_REPO_WEBHOOK_TOPIC | ||
| POLICY_REPO_WEBHOOK_ENFORCE_BRANCH | ||
| POLICY_REPO_WEBHOOK_PARAMS | ||
| POLICY_REPO_POLLING_INTERVAL | ||
| ALLOWED_ORIGINS | ||
| FILTER_FILE_EXTENSIONS | ||
| NO_RPC_LOGS | ||
| SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the server [Default calculated to CPU-cores]. | |
| SERVER_HOST | (If run using the CLI) - Address for the server to bind. | |
| SERVER_BIND_PORT | (If run using the CLI) - Port for the server to bind. (replaces deprecated SERVER_PORT) | |
| ENABLE_DATADOG_APM | Set if OPAL server should enable tracing with datadog APM. | |
| SCOPES | ||
| REDIS_URL | ||
| BASE_DIR | ||
| POLICY_REFRESH_INTERVAL | ||
| OPAL_WS_ROUTE | ||
| SERVER_WS_URL | ||
| SERVER_PUBSUB_URL | ||
| CLIENT_TOKEN | The OPAL Server Auth Token. | |
| CLIENT_API_SERVER_WORKER_COUNT | (If run using the CLI) - Worker count for the opal-client's internal server. | |
| CLIENT_API_SERVER_HOST | (If run using the CLI) - Address for the opal-client's internal server to bind. | |
| CLIENT_API_SERVER_PORT | (If run using the CLI) - Port for the opal-client's internal server to bind. | |
| WAIT_ON_SERVER_LOAD | If set, client would wait for 200 from server's loadlimit endpoint before starting background tasks. | |
| OPAL_POLICY_REPO_URL | The repo url the policy repo is located at. Must be available from the machine running OPAL (opt for public internet addresses). Supported URI schemes: https:// and ssh (i.e: git@). | |
| OPAL_POLICY_REPO_SSH_KEY | The content of the var is a private crypto key (i.e: SSH key). You will need to register the matching public key with your repo. For example, see the GitHub tutorial on the subject. The passed value must be the contents of the SSH key in one line (replace new-line with underscore, i.e: \n with _). | |
| OPAL_POLICY_REPO_CLONE_PATH | Where (i.e: base target path) to clone the repo in your docker filesystem (not important unless you mount a docker volume). | |
| OPAL_POLICY_REPO_MAIN_BRANCH | Name of the git branch to track for policy files (default: master). | |
| OPAL_BUNDLE_IGNORE | Paths to omit from policy bundle. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | bundle_ignore: Optional[List[str]] |
OPAL Client Configuration Variables
| Variables | Description | Example |
|---|---|---|
| POLICY_STORE_TYPE | ||
| POLICY_STORE_AUTH_TYPE | The authentication method for connecting to the policy store. Possible values are oauth or token | |
| POLICY_STORE_AUTH_TOKEN | The authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent). | |
| POLICY_STORE_AUTH_OAUTH_SERVER | The authentication server OPAL client will use to authenticate against for retrieving the access_token. | |
| POLICY_STORE_AUTH_OAUTH_CLIENT_ID | The client id OPAL will use to authenticate against the OAuth server. | |
| POLICY_STORE_AUTH_OAUTH_CLIENT_SECRET | The client secret OPAL will use to authenticate against the OAuth server. | |
| POLICY_STORE_CONN_RETRY | Retry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA). | |
| POLICY_STORE_POLICY_PATHS_TO_IGNORE | Which policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/**" indicating a parent path (ignoring all under it). | |
| INLINE_OPA_ENABLED | Whether or not OPAL should run OPA by itself in the same container. | |
| INLINE_OPA_EXEC_PATH | The path to the OPA executable. | |
| INLINE_OPA_CONFIG | If inline OPA is indeed enabled, the user can set the server configuration options that affects how OPA will start when running opa run --server inline. Watch escaping quotes. | {"config_file":"/mnt/opa/config"} |
| INLINE_OPA_LOG_FORMAT | ||
| INLINE_CEDAR_ENABLED | Whether or not OPAL should run Cedar agent by itself in the same container. | |
| INLINE_CEDAR_EXEC_PATH | The path to the Cedar agent executable. | |
| INLINE_CEDAR_CONFIG | If inline Cedar is indeed enabled, provide options for running the Cedar agent | |
| INLINE_CEDAR_LOG_FORMAT | ||
| KEEP_ALIVE_INTERVAL | ||
| OFFLINE_MODE_ENABLED | If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False | |
| STORE_BACKUP_PATH | Path to backup policy store's data to | |
| STORE_BACKUP_INTERVAL | Interval in seconds to backup policy store's data | |
| POLICY_UPDATER_ENABLED | If set to FALSE, OPAL Client will not fetch policies or listen to policy updates. |
Policy Updater Configuration Variables
| Variables | Description | Example |
|---|---|---|
| POLICY_SUBSCRIPTION_DIRS | The directories in a policy repo we should subscribe to for policy code (rego) modules. | |
| POLICY_UPDATER_CONN_RETRY | Retry options when connecting to the policy source (e.g. the policy bundle server |
Data Updater Configuration Variables
| Variables | Description | Example |
|---|---|---|
| DATA_UPDATER_ENABLED | If set to FALSE, OPAL Client will not listen to dynamic data updates. | |
| DATA_TOPICS | Data topics to subscribe to. | |
| DEFAULT_DATA_SOURCES_CONFIG_URL | Default URL to fetch data configuration from. | |
| DEFAULT_DATA_URL | Default URL to fetch data from. | |
| SHOULD_REPORT_ON_DATA_UPDATES | Should the client report on updates to callbacks defined in DEFAULT_UPDATE_CALLBACKS or within the given updates. | |
| DEFAULT_UPDATE_CALLBACK_CONFIG | ||
| DEFAULT_UPDATE_CALLBACKS | Where/How the client should report on the completion of data updates. | |
| DATA_UPDATER_CONN_RETRY | Retry options when connecting to the base data source (e.g. an external API server which returns data snapshot). | |
| DATA_STORE_CONN_RETRY | DEPTRECATED - The old confusing name for DATA_UPDATER_CONN_RETRY, kept for backwards compatibilit (for now) |
OPA Transaction Log / Healthcheck Configuration Variables
| Variables | Description | Example |
|---|---|---|
| OPA_HEALTH_CHECK_POLICY_ENABLED | Should we load a special healthcheck policy into OPA that checks that opa was synced correctly and is ready to answer to authorization queries. | |
| OPA_HEALTH_CHECK_TRANSACTION_LOG_PATH | Path to OPA document that stores the OPA write transactions. | |
| OPAL_CLIENT_STAT_ID | Unique client statistics identifier. | |
| OPA_HEALTH_CHECK_POLICY_PATH | ||
| SCOPE_ID |