Triggering Data Updates
OPAL allows for other components to notify it (and through it all the OPAL clients , and their next-door policy agents) of data updates, triggering each client [subscribed to the published topic] to fetch the data it needs.
What is this good for?
Let's try an example - say your application has a billing service, and you want to allow access only to users who have billing enabled (enforced via a policy agent). You now need changes to the state of the billing service to be propagated to each of the enforcement points/agents (and preferably instantly [Users who've paid - don't like to wait 😅 ]). With the OPAL's data-update-triggers feature the billing-service, another service monitoring it, or even a person can trigger updates as they need - knowing OPAL will take it from there to all the points that need it.
First, you need to obtain a data-source identity token (JWT)
Every service that publishes to OPAL needs a datasource identity token.
Obtaining one is easy, but you need access to the corresponding OPAL Server master token.
Obtain a data source token with the cli:
opal-client obtain-token MY_MASTER_TOKEN --uri=https://opal.yourdomain.com --type datasource
If you don't want to use the cli, you can obtain the JWT directly from the deployed OPAL server via its REST API:
curl --request POST 'https://opal.yourdomain.com/token' \
--header 'Authorization: Bearer MY_MASTER_TOKEN' \
--header 'Content-Type: application/json' \
--data-raw '{
"type": "datasource",
}'
The /token API endpoint can receive more parameters, as documented here.
This example assumes that:
- You deployed OPAL server to
https://opal.yourdomain.com - The master token of your deployment is
MY_MASTER_TOKEN.- In real life, use a cryptographically secure secret. If you followed our tutorials while deploying OPAL, you probably generated one with
opal-server generate-secret.
- In real life, use a cryptographically secure secret. If you followed our tutorials while deploying OPAL, you probably generated one with
How to trigger updates
There are a few ways to trigger updates:
Option 1: Trigger a data update with the CLI
Can be run both from opal-client and opal-server.
Example:
With
$tokenbeing a JWT we generated in step 1.we publish a data-event regarding two topics
usersandbillingpointing clients tohttp://mybillingserver.com/usersto obtain the data they need. we also provide the clients with the credentials they'll need to connect to the server (as HTTP authorization headers)opal-client publish-data-update $token --src-url http://mybillingserver.com/users -t users -t billing --src-config '{"headers":{"authorization":"bearer secret-token"}}'(Yes... We did... We put authorization in your authorization 😜 😅 )
See this recording showing the command including getting the JWT for the server with the
obtain-tokencommand.
Option 2: Trigger a data update with OPAL Server REST API
- All the APIs in opal are OpenAPI / Swagger based (via FastAPI).
- Check out the API docs on your running OPAL-server -- this link assumes you have the server running on
http://localhost:7002 - You can also generate an API-client in the language of your choice using the OpenAPI spec provided by the server
Option 3: Write your own - import code from the OPAL's packages
- One of the great things about OPAL being written in Python is that you can easily reuse its code.
See the code for the
DataUpdatemodel at opal_common/schemas/data.py and use it within your own code to send an update to the server