Deployment and Operation
Edge authorizers can be deployed in various ways based on the application and target environment needs and requirements. In its most basic form, an authorizer is a Docker container instance, which can be deployed as a standalone service, sidecar, or development workstation.
An edge authorizer always operates in the context of a (single) Aserto organization and is assigned a specific policy instance to serve. This information is provided to the edge authorizer via a configuration file, which it uses to send a discovery call to the Aserto control plane.
Edge Authorizer Flavors
onebox authorizer flavor has been deprecated. Please use the
Currently the following flavors of edge authorizers are available:
- Sidecar: a single-tenant, single policy authorizer without a web UI. The sidecar is the general edge authorizer flavor with a small surface area, which can be used as a sidecar but also as a local service instance.
|Sidecar||docker pull ghcr.io/aserto-dev/sidecar:latest|
Running the Edge Authorizer
You can run the sidecar authorizer using
aserto CLI. First, you need to configure your sidecar instance by running the following command. Note that POLICY_INSTANCE_NAME below is the name of a policy instance you created in the console. You can optionally turn on decision logging by using the corresponding flag:
aserto developer configure <POLICY_INSTANCE_NAME> [--decision-logging]
To configure the sidecar to connect to the Aserto control plane, use the following command. Note that EDGE_AUTHORIZER_CONNECTION_ID is the connection ID of an edge authorizer that you created in the Aserto console.
aserto developer configure <POLICY_INSTANCE_NAME> --edge-authorizer=<EDGE_AUTHORIZER_CONNECTION_ID> [--decision-logging]
To list the available edge authorizer connections, use the following command:
aserto control-plane list-connections
Then, start the sidcar instance by running the following command. Note that if you turned on decision logging in the configure command, you need to specify the
--data-path flag, where the DECISION_LOG_DIRECTORY is a path to where the decision logs will be stored.
aserto developer start <POLICY_INSTANCE_NAME> [--data-path=<DECISION_LOG_DIRECTORY>]
Or by using the
docker CLI selecting the correct image (
docker run \
--name sidecar \
-p 8282:8282 \
-p 8383:8383 \
-p 8484:8484 \
-v $PWD/certs:/certs:rw \
-v $PWD/cfg:/app/cfg:ro \
-v $PWD/eds:/app/db:rw \
ghcr.io/aserto-dev/sidecar:latest run \