Overview
The Authorizer is an open source authorization engine which uses the Open Policy Agent (OPA) to compute a decision based on a policy, user context, and data.
An application can interact with the Authorizer through a set of gRPC or HTTPS REST APIs.
Hosted Authorizer vs Edge Authorizer
Creating an Aserto tenant automatically creates a corresponding Authorizer instance in the multi-tenant hosted Authorizer. Since it's a multi-tenant service, the hosted Authorizer requires authorization headers to disambiguate the tenant and provide the tenant secret (API key).
The Aserto authorizer can also be deployed as a sidecar (or as a local service), right next to your application. Since this Authorizer is a single-tenant service, it does not require authentication, besides the certificate validation mandated by HTTPS mutual TLS.
Authorization
Any API call to the hosted Authorizer requires two HTTP headers:
Aserto-Tenant-ID: <Tenant-ID>
Authorization: basic <Authorizer-API-Key>
You can find these values in the Policy settings in the Aserto Console.
Authorizer API categories
The Authorizer provides the following API categories to calling applications:
- Authorization (
authz
) - Policy (
policy
) - Information (
info
)
The v1 Directory (dir
) namespace is now deprecated in favor of the v2 Directory graphQL APIs.
The v1 System (sys
) namespace is now removed from v2.