Skip to main content

Authorizers

An Authorizer can be one of the two types of supported authorizers:

HostedAuthorizer#

Constructor arguments#

  • api_key (required): An Aserto Authorizer API Key
  • tenant_id (required): An Aserto Tenant ID
  • service_type (required): Either of the string values "gRPC" or "REST", depending on the protocol desired to call the API

Example#

from aserto import HostedAuthorizer
authorizer = HostedAuthorizer(    api_key=YOUR_ASERTO_API_KEY,    tenant_id=YOUR_ASERTO_TENANT_ID,    service_type="REST",)

EdgeAuthorizer#

Constructor arguments#

  • url (required): The URL for the Authorizer service API
  • cert_file_path (required): The location on the filesystem of the CA certificate that signed the Aserto authorizer self-signed certificate. See the "Certificates" section for more information
  • service_type (required): Either of the string values "gRPC" or "REST", depending on the protocol desired to call the API

Example#

from aserto import EdgeAuthorizer
authorizer = EdgeAuthorizer(    url=AUTHORIZER_SERVICE_URL,    cert_file_path=FILE_PATH_TO_YOUR_AUTHORIZER_CA_CERTIFICATE,    service_type="gRPC",)

Certificates#

The Aserto Authorizer exposes HTTPS-only endpoints. In order for the API client to communicate with the authorizer, TLS certificates must be verified.

In a development environment, the Aserto OneBox automatically creates a set of self-signed certificates and certificates of the CA (certificate authority) that signed them. It places them in a well-known location on the filesystem, defaulting to $HOME/.config/aserto/aserto-one/certs/.

In order for the API client to perform the TLS handshake, it needs to verify the TLS certificate of the one-box using the certificate of the CA that signed it - which was placed in $HOME/.config/aserto/aserto-one/certs/aserto-one-gateway-ca.crt.

Furthermore, when packaging a policy for deployment (e.g. in a Docker container) which uses the API client to communicate with an authorizer that has a self-signed TLS certificate, you must copy this CA certificate into the container as part of the Docker build (typically performed in the Dockerfile).