OPAL allows for other components to notify it (and through it all the OPAL clients , and their next-door policy agents) of data updates, triggering each client [subscribed to the published topic] to fetch the data it needs.
Let's try an example - say your application has a billing service, and you want to allow access only to users who have billing enabled (enforced via a policy agent).
You now need changes to the state of the billing service to be propagated to each of the enforcement points/agents (and preferably instantly [Users who've paid - don't like to wait 😅 ]).
With the OPAL's data-update-triggers feature the billing-service, another service monitoring it, or even a person can trigger updates as they need - knowing OPAL will take it from there to all the points that need it.
Every service that publishes to OPAL needs a datasource
identity token.
Obtaining one is easy, but you need access to the corresponding OPAL Server master token.
Obtain a data source token with the cli:
opal-client obtain-token MY_MASTER_TOKEN --uri=https://opal.yourdomain.com --type datasource
If you don't want to use the cli, you can obtain the JWT directly from the deployed OPAL server via its REST API:
curl --request POST 'https://opal.yourdomain.com/token' \
--header 'Authorization: Bearer MY_MASTER_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"type": "datasource",
}'
The /token
API endpoint can receive more parameters, as documented here.
This example assumes that:
- You deployed OPAL server to
https://opal.yourdomain.com
- The master token of your deployment is
MY_MASTER_TOKEN
.- In real life, use a cryptographically secure secret. If you followed our tutorials while deploying OPAL, you probably generated one with
opal-server generate-secret
.
- In real life, use a cryptographically secure secret. If you followed our tutorials while deploying OPAL, you probably generated one with
There are a few ways to trigger updates:
Can be run both from opal-client and opal-server.
Example:
-
With
$token
being a JWT we generated in step 1. -
we publish a data-event regarding two topics
users
andbilling
pointing clients tohttp://mybillingserver.com/users
to obtain the data they need. we also provide the clients with the credentials they'll need to connect to the server (as HTTP authorization headers) -
opal-client publish-data-update $token --src-url http://mybillingserver.com/users -t users -t billing --src-config '{"headers":{"authorization":"bearer secret-token"}}'
-
(Yes... We did... We put authorization in your authorization 😜 😅 )
-
See this recording showing the command including getting the JWT for the server with the
obtain-token
command.
- All the APIs in opal are OpenAPI / Swagger based (via FastAPI).
- Check out the API docs on your running OPAL-server -- this link assumes you have the server running on
http://localhost:7002
- You can also generate an API-client in the language of your choice using the OpenAPI spec provided by the server
- One of the great things about OPAL being written in Python is that you can easily reuse its code.
See the code for the
DataUpdate
model at opal_common/schemas/data.py and use it within your own code to send an update to the server