OPAL Client
The OPAL Client has three main functionalities that need to be highlighted.
service:
opal_client:
image: permitio/opal-client:latest
environment:
- OPAL_SERVER_URL=http://opal_server:7002
- OPAL_LOG_FORMAT_INCLUDE_PID=true
- OPAL_INLINE_OPA_LOG_FORMAT=http
ports:
- "7766:7000"
- "8181:8181"
depends_on:
- opal_server
command: sh -c "./wait-for.sh opal_server:7002 --timeout=20 -- ./start.sh"
1. The OPAL client can run OPA for you as an inline process
The OPAL client docker image contains a built-in OPA agent, and can serve as fully-functional authorization microservice. OPA is solely responsible for enforcing and evaluating authorization queries.
OPAL is solely responsible for state-management, meaning it will keep the policy and data needed to evaluate queries up-to-date.
In our example docker-compose.yml file, OPA is enabled and runs on port :8181 which is exposed on the host machine.
ports:
- "7766:7000"
- "8181:8181"
OPAL will manage the OPA process. If the OPA process fails for some reason, OPAL will restart OPA and rehydrate the OPA cache with valid and up-to-date state. By rehydration, we mean that the policies and data will be re-downloaded.
2. The OPAL client syncs OPA with latest policy code
OPAL listens to policy code update notifications and downloads up-to-date policy bundles from the server.
3. The OPAL client syncs OPA with latest policy data
OPAL listens to policy data update notifications and fetches the data from the sources specified by the instructions sent from the server. OPAL can aggregate data from multiple sources. This may include your APIs, databases and 3rd party SaaS.
eOPA variant
OPAL Client supports running eOPA as the inline engine.
service:
opal_client:
image: permitio/opal-client-eopa:latest
See docker/docker-compose-example-eopa.yml for a full example. The engine exposes the same OPA-compatible HTTP API on :8181 while OPAL keeps policies and data synchronized.
Read more about eOPA here.