OPA policy groups import

[adwiza]

Hello.
I have a configmap opagroups in the namespace opa-prod with data.json with groups
but groups are not work, how to import them from this configmap correctly, or also have integration
trino with keycloak and it works as expected, may be I could get groups from keycloak?
version stackable 24.11.1 and version of OPA 0.67.1

{
  "dataops": ["a.user1"],
  "analytics": ["b.user2"]
}

and trino.rego file

            package trino

            import data.bundles.opagroups.dataops
            import data.bundles.opagroups.analytics


            import future.keywords.contains
            import future.keywords.in
            import future.keywords.if

            default allow = false

            allow {
              input.user == "admin"
            }

            group_member(group) if input.context.identity.user in data.groups[group]
            user_is_group_member(user, group) if user in data.groups[group]

            # Full Access for admin user, dataops and analytics groups
            allow {
              group_member("admin")
            }
            batch[i] {
              some i
              input.action.filterResources[i]
              group_member("admin")
            }

            allow {
              group_member("dataops")
            }
            batch[i] {
              some i
              input.action.filterResources[i]
              group_member("dataops")
            }

            allow {
              group_member("analytics")
            }
            batch[i] {
              some i
              input.action.filterResources[i]
              group_member("analytics")
            }
.....
            data := {
              "groups" : {
                "admin": ["admin"],
                "dataops": dataops,
                "analytics": analytics,        
              },
              "catalog_acls" : [
                {
                  "catalog": "icebergnessie",
                  "full": ["analytics", "dataops"],
                },
                {
                  "catalog": "iceberg",
                  "full": ["analytics", "dataops"],
                }
              ],

[maltesander]

Hi @adwiza,

please have a look at the User Info Fetcher of the OPA operator.

You can configure it to automatically request a user groups in Keycloak and use that in your rego decisions.

Malte

[adwiza]

Hi @maltesander I have already done it, but it still not works

apiVersion: opa.stackable.tech/v1alpha1 kind: OpaCluster metadata: name: opa namespace: opa spec: image: productVersion: "${productVersion}" stackableVersion: "${stackableVersion}" clusterConfig: userInfo: backend: keycloak: hostname: sso.local port: 443 tls: verification: server: caCert: secretClass: external-tls-class clientCredentialsSecret: oidc-secret adminRealm: lakehouse userRealm: lakehouse cache: # optional, enabled by default entryTimeToLive: 60s # optional, defaults to 60s servers: config: logging: enableVectorAgent: false containers: opa: console: level: DEBUG

` kind: ConfigMap
apiVersion: v1
metadata:
name: opa
namespace: opa
data:
trino.rego: |
package trino

        import future.keywords.contains
        import future.keywords.in
        import future.keywords.if

        default allow = false
        
        allow if {
            user := data.stackable.opa.userinfo.v1.userInfoById(input.userId)
            "/dataops" in user.groups
        }`

[maltesander]

Hi @adwiza,

it is hard to debug this without any logs etc. It could be your Keycloak client, TLS settings, OPA config, Rego rules etc.

The OPA pods should have a sidecar container running the user info fetcher. Please have a look there, you should see any errors related to retrieving the groups here.

You can also shell into the opa container and run this

curl -X POST localhost:9476/user -H 'Content-Type: application/json' -d '{"username": "<your-user>"}'

which should return any groups or throw errors.

Malte

[adwiza]

In the sidecar container user-info-fetcher we are seeing correct output with proper groups like /dataops etc

but we have these in opa-server logs
{"client_addr":"10.233.124.39:38262","level":"info","msg":"Received request.","req_body":"{"input":{"context":{"identity":{"user":"MYNAME","groups":[]},"softwareStack":{"trinoVersion":"455"}},"action":{"operation":"ExecuteQuery"}}}","req_id":11,"req_method":"POST","req_params":{},"req_path":"/v1/data/trino/allow","time":"2025-04-14T15:33:21Z","logger":"server"}

[maltesander]

The input to OPA does not look quite like you provided:

{"input":{"context":{"identity":{"user":"MYNAME","groups":[]}

Could you try something like this?

        import future.keywords.contains
        import future.keywords.in
        import future.keywords.if

        default allow = false
        
        allow if {
            user := data.stackable.opa.userinfo.v1.userInfoByUsername(input.context.identity.user)
            "/dataops" in user.groups
        }

[adwiza]

Hi @maltesander it works, thank you a lot.