Skip to main content

Authorizer

The Authorizer is the component where authorization decisions are made. This is sometimes known as a Policy Decision Point, or PDP.

Aserto uses the Topaz open source project as its authorizer.

Topaz

Topaz provides a self-contained authorization service, and utilizes the Open Policy Agent (OPA) authorization engine to compute a decision based on a policy, user context, and resource context.

Topaz also includes an embedded database, which can be used to store a local copy of the data that is used to make an authorization decision.

Because of this design, authorization decisions can be computed over local data, resulting in fast (order of ~1ms) evaluation intervals.

Topaz is packaged as a docker image and is meant to be deployed as close as possible to your application. The most common deployment models are:

  • a sidecar container in the same pod as the application.
  • a microservice that is deployed in the same cluster or subnet as your application.

In addition, when you create an Aserto policy instance, a Topaz Authorizer instance is provisioned for you in Aserto's multi-tenant environment. Since the authorizers are the same, using the hosted authorizer is the easiest way to start building applications that use Aserto, without having to deploy a Topaz instance on your own computer or cluster.

Finally, the same Topaz container image underpins Aserto's local developer experience, which you can deploy on your local workstation using the Aserto CLI, and use while developing your application. This helps create a tight development workflow that has no external dependencies.