Installing a local Topaz authorizer
So far, we've only interacted with a multi-tenant hosted version of the Aserto Authorizer. But there are other deployment models:
- Developing locally against Topaz, which is a containerized version of the Aserto Authorizer
- Deploying the Topaz Authorizer as a sidecar in the same kubernetes pod as the calling service
- Deploying the Topaz Authorizer as another microservice in the same subnet as the other microservices in your application
These scenarios all use the open-source topaz docker image, which is a containerized version of the
Aserto authorization system, which can either be run independently with no connection to the Aserto Control
Plane, or can be connected to the Aserto Control Plane to automatically receive policy changes, directory data
changes, and push decision logs back to the Control Plane.
Topaz requires docker to be installed and running.
To install Docker: brew install --cask docker
To get started with Topaz, you can pull it down using the Aserto CLI.
If you haven't yet, you can install it using brew on Mac or Linux.
brew tap aserto-dev/tap && brew install aserto
For Windows (or if you want to download it as a zip file), refer to the CLI installation page.
Sign in to your Aserto account:
aserto login
You can use the CLI to install and run a local Topaz authorizer on your desktop. The following instructions will show you how to create a local configuration of the Aserto policy and directory that you created using the Aserto Console.
Install Topaz
The following command will pull down the latest topaz docker image.
aserto install
Select the tenant to target
Next, you'll need to select the Aserto tenant that you'd like to target. List the remote configs (tenants):
aserto config list
Then select the tenant you'd like to target:
aserto config use <your-tenant-name.aserto.com>
Create a Topaz configuration that mirrors a policy
The next command will create a local configuration for a policy that you've set up in the Aserto Console, using the name you gave it (in our case, peoplefinder).
aserto config new --name="peoplefinder"
This will create a new local configuration that mirrors the peoplefinder instance. You'll need to switch to this config:
aserto config use peoplefinder
Refer to the CLI docs to learn how to create an Edge Authorizer configuration, which will allow this local Topaz instance to be managed by the Aserto Control Plane.
Start Topaz with the local configuration
The following command will docker run a local container with the peoplefinder policy configuration:
aserto start
Once Topaz is started, it will pull down the policy and data (if you've configured data syncing) from the instance you configured in the Aserto Console. You now have a local copy running on your own machine!
Bring up the console
Topaz has a fully featured local console that mirrors the Aserto Console. Use the following command to bring it up in a browser window:
aserto console
Other commands
The next few commands help manage the topaz docker instance and image.
aserto status # displays the running status of the topaz authorizer
aserto stop # stops the topaz authorizer
aserto update # updates the topaz authorizer image to :latest
Next Steps
Explore how the PeopleFinder sample uses the Aserto express SDK and React SDK to inject authorization into the application’s API, and conditionally render UI elements based on the visible and enabled attributes of the policy.