Skip to main content

Authorizers

An Authorizer can be one of the two types of supported authorizers:

HostedAuthorizer

Constructor arguments

  • api_key (required): An Aserto Authorizer API Key
  • tenant_id (required): An Aserto Tenant ID
  • service_type (required): Either of the string values "gRPC" or "REST", depending on the protocol desired to call the API

Example

from aserto import HostedAuthorizer

authorizer = HostedAuthorizer(
api_key=YOUR_ASERTO_API_KEY,
tenant_id=YOUR_ASERTO_TENANT_ID,
service_type="REST",
)

EdgeAuthorizer

Constructor arguments

  • url (required): The URL for the Authorizer service API
  • cert_file_path (required): The location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information
  • service_type (required): Either of the string values "gRPC" or "REST", depending on the protocol desired to call the API

Example

from aserto import EdgeAuthorizer

authorizer = EdgeAuthorizer(
url=AUTHORIZER_SERVICE_URL,
cert_file_path=FILE_PATH_TO_YOUR_AUTHORIZER_CA_CERTIFICATE,
service_type="gRPC",
)

Certificates

The Aserto Authorizer exposes HTTPS-only endpoints. In order for the API client to communicate with the authorizer, TLS certificates must be verified.

In a development environment, the Aserto Sidecar automatically creates a set of self-signed certificates and certificates of the CA (certificate authority) that signed them. It places them in a well-known location on the filesystem, defaulting to $HOME/.config/aserto/sidecar/certs/.

In order for the API client to perform the TLS handshake, it needs to verify the TLS certificate of the one-box using the certificate of the CA that signed it - which was placed in $HOME/.config/aserto/sidecar/certs/gateway-ca.crt.

Furthermore, when packaging a policy for deployment (e.g. in a Docker container) which uses the API client to communicate with an authorizer that has a self-signed TLS certificate, you must copy this CA certificate into the container as part of the Docker build (typically performed in the Dockerfile).