Authorizer Client
AuthorizerClient
is the low-level interface that talks to the Aserto authorization API.
It can be used on its own to make authorization calls or, more commonly, it can be used to create authorization
middleware.
Create a Client
import (
authz "github.com/aserto-dev/aserto-go/authorizer/grpc"
"github.com/aserto-dev/aserto-go/client"
)
...
authClient, err := authz.New(
ctx,
client.WithAPIKeyAuth("<Aserto authorizer API key"),
client.WithTenantID("<Aserto tenant ID>"),
)
Make Authorization Calls
Using an authorizer client we can call the Is()
API to check if a user is authorized
to perform an operation.
import (
"fmt"
"github.com/aserto-dev/go-grpc-authz/aserto/authorizer/authorizer/v1"
"github.com/aserto-dev/go-grpc/aserto/api/v1"
)
...
result, err := authClient.Is(ctx, &authorizer.IsRequest{
IdentityContext: &api.IdentityContext{ // The user performing the operation.
Type: api.IdentityType_IDENTITY_TYPE_SUB,
Identity: "username",
},
PolicyContext: &api.PolicyContext{
Id: "<Aserto Policy ID>",
Path: "peoplefinder.GET.users", // Policy module to evaluate.
Decisions: []string{"allowed"}, // Policy rules to evaluate.
},
})
if err != nil {
log.Fatal("Failed to call authorizer:", err)
}
// Check the authorizer's decision.
for _, decision := range result.Decisions {
if decision.Decision == "allowed" {
if decision.Is {
fmt.Println("Access granted")
} else {
fmt.Println("Access denied")
}
}
}
We can similarly call the DecisionTree()
and
Query()
APIs.