OPAL, the Open Policy Administration Layer, keeping authorization policy in sync across your services in real time.
OPAL, the Open Policy Administration Layer, keeps authorization policy and the data it reasons over continuously up to date. You keep policy in a git repository; OPAL watches it and pushes every change out to Open Policy Agent the moment it is committed, so applications asking for an authorization decision always get an answer based on the current rules, with no redeploy and no restart.
OPAL on its own is infrastructure rather than a finished system, so this image ships a complete single node appliance: OPAL server, OPAL client and Open Policy Agent, installed, wired together and answering decisions from first boot, with a working example policy repository you can repoint at your own.
cloudimg ships the whole appliance assembled and proven rather than a bare component, with OPAL installed into an isolated virtual environment and the exact resolved dependency set recorded inside the image. It is secure by default and ships no shared credential: Open Policy Agent is bound to loopback so its unauthenticated API can never be reached, the exposed decision endpoint sits behind nginx with TLS and HTTP basic authentication, and on first boot every instance generates its own master token, signing keypair, client token, certificate and password into a root only file. A built in self test proves the policy round trip end to end, and every instance is backed by a paired deploy guide and 24/7 support.