Skip to content

Commit

Permalink
Add support to negated paths definition in the variable containing pa…
Browse files Browse the repository at this point in the history 
…ths to ignore on policies updates (#642)

* feat(issue-641): add support to negated paths definition

* feat(issue-641): add a clearer description to the documentation

* feat(issue-641): reformat files

---------

Co-authored-by: Dan Yishai <[email protected]>
  • Loading branch information
@disaverio @danyi1212
disaverio and danyi1212 authored Dec 2, 2024
1 parent 297e864 commit 1442832
Show file tree
Hide file tree
Showing 6 changed files with 159 additions and 32 deletions.
46 changes: 23 additions & 23 deletions documentation/docs/getting-started/configuration.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,29 +120,29 @@ Please use this table as a reference.

## OPAL Client Configuration Variables

| Variables | Description | Example |
| ------------------------------------- |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| ------------------------------------ |
| POLICY_STORE_TYPE | | |
| POLICY_STORE_AUTH_TYPE | The authentication method for connecting to the policy store. Possible values are `oauth` or `token` | |
| POLICY_STORE_AUTH_TOKEN | The authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent). | |
| POLICY_STORE_AUTH_OAUTH_SERVER | The authentication server OPAL client will use to authenticate against for retrieving the access_token. | |
| POLICY_STORE_AUTH_OAUTH_CLIENT_ID | The client id OPAL will use to authenticate against the OAuth server. | |
| POLICY_STORE_AUTH_OAUTH_CLIENT_SECRET | The client secret OPAL will use to authenticate against the OAuth server. | |
| POLICY_STORE_CONN_RETRY | Retry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA). | |
| POLICY_STORE_POLICY_PATHS_TO_IGNORE | Which policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/\*\*" indicating a parent path (ignoring all under it). | |
| INLINE_OPA_ENABLED | Whether or not OPAL should run OPA by itself in the same container. | |
| INLINE_OPA_EXEC_PATH | The path to the OPA executable. | |
| INLINE_OPA_CONFIG | If inline OPA is indeed enabled, the user can set the [server configuration options](https://docs.opal.ac/getting-started/running-opal/run-opal-client/opa-runner-parameters) that affects how OPA will start when running `opa run --server` inline. Watch escaping quotes. | \{"config_file":"/mnt/opa/config"\} |
| INLINE_OPA_LOG_FORMAT | | |
| INLINE_CEDAR_ENABLED | Whether or not OPAL should run Cedar agent by itself in the same container. | |
| INLINE_CEDAR_EXEC_PATH | The path to the Cedar agent executable. | |
| INLINE_CEDAR_CONFIG | If inline Cedar is indeed enabled, provide options for running the Cedar agent | |
| INLINE_CEDAR_LOG_FORMAT | | |
| KEEP_ALIVE_INTERVAL | | |
| OFFLINE_MODE_ENABLED | If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False | |
| STORE_BACKUP_PATH | Path to backup policy store's data to | |
| STORE_BACKUP_INTERVAL | Interval in seconds to backup policy store's data | |
| POLICY_UPDATER_ENABLED | If set to `FALSE`, OPAL Client will not fetch policies or listen to policy updates. | |
| Variables | Description | Example |
| ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
| POLICY_STORE_TYPE | | |
| POLICY_STORE_AUTH_TYPE | The authentication method for connecting to the policy store. Possible values are `oauth` or `token` | |
| POLICY_STORE_AUTH_TOKEN | The authentication (bearer) token OPAL client will use to authenticate against the policy store (i.e: OPA agent). | |
| POLICY_STORE_AUTH_OAUTH_SERVER | The authentication server OPAL client will use to authenticate against for retrieving the access_token. | |
| POLICY_STORE_AUTH_OAUTH_CLIENT_ID | The client id OPAL will use to authenticate against the OAuth server. | |
| POLICY_STORE_AUTH_OAUTH_CLIENT_SECRET | The client secret OPAL will use to authenticate against the OAuth server. | |
| POLICY_STORE_CONN_RETRY | Retry options when connecting to the policy store (i.e. the agent that handles the policy, e.g. OPA). | |
| POLICY_STORE_POLICY_PATHS_TO_IGNORE | Which policy paths pushed to the client should be ignored. List of glob style paths, or paths without wildcards but ending with "/\*\*" indicating a parent path (ignoring all under it). It does support paths starting with '!' to force to not ignore them: a negated path would always take precedence, so if, e.g., both `!myFolder/**` and `myFolder/subFolder/**` are defined then `myFolder/subFolder/**` will not be ignored. | |
| INLINE_OPA_ENABLED | Whether or not OPAL should run OPA by itself in the same container. | |
| INLINE_OPA_EXEC_PATH | The path to the OPA executable. | |
| INLINE_OPA_CONFIG | If inline OPA is indeed enabled, the user can set the [server configuration options](https://docs.opal.ac/getting-started/running-opal/run-opal-client/opa-runner-parameters) that affects how OPA will start when running `opa run --server` inline. Watch escaping quotes. | \{"config_file":"/mnt/opa/config"\} |
| INLINE_OPA_LOG_FORMAT | | |
| INLINE_CEDAR_ENABLED | Whether or not OPAL should run Cedar agent by itself in the same container. | |
| INLINE_CEDAR_EXEC_PATH | The path to the Cedar agent executable. | |
| INLINE_CEDAR_CONFIG | If inline Cedar is indeed enabled, provide options for running the Cedar agent | |
| INLINE_CEDAR_LOG_FORMAT | | |
| KEEP_ALIVE_INTERVAL | | |
| OFFLINE_MODE_ENABLED | If set, opal client will try to load policy store from backup file and operate even if server is unreachable. Ignored if INLINE_OPA_ENABLED=False | |
| STORE_BACKUP_PATH | Path to backup policy store's data to | |
| STORE_BACKUP_INTERVAL | Interval in seconds to backup policy store's data | |
| POLICY_UPDATER_ENABLED | If set to `FALSE`, OPAL Client will not fetch policies or listen to policy updates. | |

## Policy Updater Configuration Variables

Expand Down
Loading

0 comments on commit 1442832

Please sign in to comment.