OPAL Client
The OPAL Client has three main functionalities that need to be highlighted.
service:
opal_client:
image: permitio/opal-client:latest
environment:
- OPAL_SERVER_URL=http://opal_server:7002
- OPAL_LOG_FORMAT_INCLUDE_PID=true
- OPAL_INLINE_OPA_LOG_FORMAT=http
ports:
- "7766:7000"
- "8181:8181"
depends_on:
- opal_server
command: sh -c "./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
1. The OPAL client can run OPA for you as an inline process
The OPAL client docker image contains a built-in OPA agent, and can serve as fully-functional authorization microservice. OPA is solely responsible for enforcing and evaluating authorization queries.
OPAL is solely responsible for state-management, meaning it will keep the policy and data needed to evaluate queries up-to-date.
In our example docker-compose.yml
file, OPA is enabled and runs on port :8181
which is exposed on the host machine.
ports:
- "7766:7000"
- "8181:8181"
OPAL will manage the OPA process. If the OPA process fails for some reason, OPAL will restart OPA and rehydrate the OPA cache with valid and up-to-date state. By rehydration, we mean that the policies and data will be re-downloaded.
2. The OPAL client syncs OPA with latest policy code
OPAL listens to policy code update notifications and downloads up-to-date policy bundles from the server.
3. The OPAL client syncs OPA with latest policy data
OPAL listens to policy data update notifications and fetches the data from the sources specified by the instructions sent from the server. OPAL can aggregate data from multiple sources. This may include your APIs, databases and 3rd party SaaS.