Skip to main content

Runtime Flow

When the edge authorizer has been bootstrapped it will transition to the runtime flow:

In this state, it will spin up two timer-based background tasks: The first is the discovery updates flow, which executes the discovery request described above to retrieve configuration updates. These updates include updates of the policy in case of a new version as well as configuration changes for the plugins, concretely the edge directory plugin. When a new policy version is available, the policy will be downloaded and applied to the authorizer.

A second time-based background task will synchronize the identity data from the central directory to the edge authorizer when the edge directory plugin is enabled. By default, directory synchronization is turned off and can be enabled in the Aserto console.

Runtime configuration

The runtime configuration is automatically retrieved from the control plane and is not persisted. The example below shows the resolved runtime configuration of the edge authorizer.

Example configuration of an authorizer that uses a policy image from the Aserto registry service:

---
tenant_id: <TENANT-ID>
policy_name: <POLICY-NAME>
instance_label: <INSTANCE-LABEL>

authorizer:
  logging:
    prod: true
    log_level: info
  
  directory_service:
    path: /app/db/directory.db
  
  api:
    grpc:
      connection_timeout_seconds: 2
      listen_address: '0.0.0.0:8282'
      certs:
        tls_key_path: '/app/certs/grpc.key'
        tls_cert_path: '/app/certs/grpc.crt'
        tls_ca_cert_path: '/app/certs/grpc-ca.crt'
    gateway:
      listen_address: '0.0.0.0:8383'
      allowed_origins:
        - https://*.mydomain.com
      certs:
        tls_key_path: '/app/certs/gateway.key'
        tls_cert_path: '/app/certs/gateway.crt'
        tls_ca_cert_path: '/app/certs/gateway-ca.crt'
    health:
      listen_address: '0.0.0.0:8484'
  
  opa:
    discovery:
      bundles:
        '<POLICY_NAME>.<INSTANCE_LABEL>.<DIGEST>':
          persist: false
          polling:
            max_delay_seconds: 120
            min_delay_seconds: 60
          resource: 'https://registry.prod.aserto.com/v2/<TENANT_NAME>/<REPO_NAME>:<LABEL>'
          service: <CONNECTION_ID>-<TENANT_NAME>
          signing: null,
          size_limit_bytes: 0
      plugins:
        aserto_edge:
          addr: authorizer.prod.aserto.com:8443
          apikey: '<REDACTED directory API key>'
          enabled: false
          insecure: false
          page_size: 100
          sync_interval: 60
          timeout: 10
      services:
        <CONNECTION_ID>-<TENANT_NAME>:
          credentials:
            bearer:
              token: '<REDACTED> registry download API key'
          response_header_timeout_seconds: 60
          url:  "https://registry.prod.aserto.com/v2/"
  
decision_logger:
  enabled: false