3

I'm new to OPA (open policy agent) and trying to create new policy using REST API /v1/policies/{id}. It works! But, OPA server saves it to memory and after rebooting all my policies are removed. How can I fix it, which parameters should I use to persist created policies ?

SQB
  • 3,926
  • 2
  • 28
  • 49
JavaDevS
  • 33
  • 1
  • 3
  • Check out this article https://dev.to/permit_io/load-external-data-into-opa-the-good-the-bad-and-the-ugly-26lc – Oded BD Apr 05 '22 at 11:47

2 Answers2

2

OPA saves all policy and data used for evaluation in memory. Consider using Bundles to distribute policy and data to OPA. Furthermore, you have the option to persist activated bundles to disk for recovery purposes. When bundle persistence is enabled, OPA will attempt to read the bundle from disk on startup. The documentation covers more details about bundle persistence.

Ash Narkar
  • 64
  • 1
0

OPA saves policies and data in memory as already mentioned by Ash, however I'd like to add interesting details. Persistence is possible in the following ways:

  • Disk: while possible this should be used just to dump on disk what doesn't fit in memory, and it should never be used as a single source of truth. The data is stored into an embedded Key-value database on disk. Please find more info here in the official documentation, possible configuration values here, and description of the on-disk mechanism here. In particular, the documentation highlights that:

"The persistent disk storage enables OPA to work with data that does not fit into the memory resources granted to the OPA server. It is not supposed to be used as the primary source of truth for that data.The on-disk storage should be considered ephemeral: you need to secure the means to restore that data. Backup and restore, or repair procedures for data corruption are not provided at this time."

  • Using Bundles: this is the recommended way, where Policies and Data are fetched from a server. The official documentation suggests that bundles are gzipped tarballs that contain policies and data. The data files in the bundle must be organized hierarchically into directories inside the tarball and saved in servers. Supported server options include also Object Storage (Amazon S3, Google Cloud Storage, Azure Blob Storage), Nginx (mainly for testing purpose), OCI compatible registries.
AR1
  • 4,507
  • 4
  • 26
  • 42