Summary
When using Opal as the backend, {dsROCrate} should include a helper function to validate the running Opal version as part of connection validation (see validate_opal_con).
This is important because Opal v5.7.2 introduced a change allowing AUDIT_ALL users read-only access to the /system/permissions API endpoint. This endpoint can be used to verify whether a user has audit rights (and similarly admin rights).
Without checking the Opal version, downstream functionality that depends on this endpoint may fail unexpectedly on older Opal instances.
Current behaviour
An Opal connection object can be created using opalr::opal.login():
con_auditor <- opalr::opal.login(
username = "auditor",
password = USERPASS,
url = SERVER
)
The running Opal version is available via:
which returns the server version as a string.
Currently there does not appear to be a dedicated validation step ensuring the connected Opal server supports the required API behaviour.
Proposed enhancement
Add a helper function that:
- Detects whether the backend is Opal
- Retrieves the server version from the connection object
- Verifies the version is compatible with the required permissions endpoint behaviour
- Integrates this validation into existing connection checks
For example, compatibility checks could ensure the server version is >= 5.7.2.
Motivation
This would:
- Prevent runtime failures when permission checks rely on
/system/permissions
- Provide clearer error messages for unsupported Opal versions
- Centralise backend capability validation logic
- Improve robustness of audit/admin permission verification workflows
Possible implementation ideas
Potential approaches include:
check_opal_version <- function(con, minimum = "5.7.2") {
utils::compareVersion(con$version, minimum) >= 0
}
- Integrating the version validation into existing connection validation helpers
- Returning informative warnings/errors when unsupported versions are detected
Additional context
Support for read-only access to /system/permissions for AUDIT_ALL users was originally requested in Opal issue #4150:
The change was implemented and the issue closed via:
Since this behaviour is only available starting from Opal v5.7.2, {dsROCrate} should validate the connected Opal version before relying on this endpoint for audit/admin permission verification.
Summary
When using Opal as the backend,
{dsROCrate}should include a helper function to validate the running Opal version as part of connection validation (seevalidate_opal_con).This is important because Opal
v5.7.2introduced a change allowingAUDIT_ALLusers read-only access to the/system/permissionsAPI endpoint. This endpoint can be used to verify whether a user has audit rights (and similarly admin rights).Without checking the Opal version, downstream functionality that depends on this endpoint may fail unexpectedly on older Opal instances.
Current behaviour
An Opal connection object can be created using
opalr::opal.login():The running Opal version is available via:
which returns the server version as a string.
Currently there does not appear to be a dedicated validation step ensuring the connected Opal server supports the required API behaviour.
Proposed enhancement
Add a helper function that:
For example, compatibility checks could ensure the server version is
>= 5.7.2.Motivation
This would:
/system/permissionsPossible implementation ideas
Potential approaches include:
Additional context
Support for read-only access to
/system/permissionsforAUDIT_ALLusers was originally requested in Opal issue #4150:AUDIT_ALLusers to read system permissions obiba/opal#4150)The change was implemented and the issue closed via:
Since this behaviour is only available starting from Opal
v5.7.2,{dsROCrate}should validate the connected Opal version before relying on this endpoint for audit/admin permission verification.