Cloud-native authorization for modern applications and APIs, combining the best of Open Policy Agent and Google Zanzibar
Topaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.
It uses the Open Policy Agent (OPA) as its decision engine, and provides a built-in directory that is inspired by the Google Zanzibar data model.
Authorization policies can leverage user attributes, group membership, application resources, and relationships between them. All data used for authorization is modeled and stored locally in an embedded database, so authorization decisions can be evaluated quickly and efficiently.
Documentation and support
Read more at topaz.sh and the docs.
Join the community Slack channel for questions and help!
Benefits
Table of Contents
topaz
is available on Linux, macOS and Windows platforms.
Binaries for Linux, Windows and Mac are available as tarballs in the release page.
Via Homebrew for macOS or LinuxBrew for Linux
brew tap aserto-dev/tap && brew install aserto-dev/tap/topaz
Via a GO install
go install github.com/aserto-dev/topaz/cmd/topaz@latest
Building from source
topaz
is currently using go v1.17 or above. In order to build topaz
from source you must:
Install mage
Clone the repo
Build and run the executable
mage build && ./dist/build_linux_amd64/topaz
Running with Docker
You can run as a Docker container:
docker run -it --rm ghcr.io/aserto-dev/topaz:latest --helpQuickstart
These instructions help you get Topaz up and running as the authorizer for a sample Todo app.
Install Topaz authorizer container image
The Topaz authorizer is packaged as a Docker container. You can get the latest image using the following command:
topaz installCreate a configuration
This command creates a configuration file for the sample Todo policy image. A policy image is an OCI image that contains an OPA policy. The source code for the ghcr.io/aserto-policies/policy-todo-rebac:latest
policy image can be found here.
topaz configure -d -s -r ghcr.io/aserto-policies/policy-todo-rebac:latest -n todo
The configuration file is generated in $(HOME)/.config/topaz/cfg
.
-d
)-s
)Creating a configuration that uses a local policy CLI image
If you have a policy image in the local OCI store of your policy CLI that you want to use with topaz you can create a configuration to use that image from the local store.
topaz configure -d -s -l ghcr.io/default:latest
The configuration file is generated in $(HOME)/.config/topaz/cfg
.
-d
)-s
)Start Topaz in interative mode
topaz runImport sample data
Retrieve the "Citadel" json files, placing them in the current directory:
curl https://raw.githubusercontent.com/aserto-dev/topaz/main/assets/citadel/citadel_objects.json >./citadel_objects.json curl https://raw.githubusercontent.com/aserto-dev/topaz/main/assets/citadel/citadel_relations.json >./citadel_relations.json
Import the contents of the file into Topaz directory. This creates the sample users (Rick, Morty, and friends); groups; and relations.
topaz import -i -d .Bring up the console
topaz consoleIssue an API call
To verify that Topaz is running with the right policy image, you can issue a curl
call to interact with the REST API.
This API call retrieves the set of policies that Topaz has loaded:
curl -k https://localhost:8383/api/v2/policiesIssue a query
Issue a query using the is
REST API to verify that the user Rick is allowed to GET the list of todos:
curl -k -X POST 'https://localhost:8383/api/v2/authz/is' \ -H 'Content-Type: application/json' \ -d '{ "identity_context": { "type": "IDENTITY_TYPE_SUB", "identity": "rick@the-citadel.com" }, "policy_context": { "path": "todoApp.GET.todos", "decisions": ["allowed"] } }'Run the sample application
To run the sample Todo app in the language of your choice, and see how Topaz is used to authorize requests, refer to the docs.
To start an interactive session with the Topaz endpoints, see the gRPC endpoints section.
Command line options
$ topaz --help Usage: topaz <command>gRPC EndpointsTopaz CLI
Commands: start start topaz in daemon mode stop stop topaz instance status status of topaz daemon process run run topaz in console mode manifest get get manifest manifest set set manifest manifest delete delete manifest load load manifest from file save save manifest to file import import directory objects export export directory objects backup backup directory data restore restore directory data test exec execute assertions test template output assertions template install install topaz container configure configure topaz service update update topaz container version uninstall uninstall topaz container version version information console opens the console in the browser
Flags: -h, --help Show context-sensitive help. --no-check disable local container status check ($TOPAZ_NO_CHECK)
Run "topaz <command> --help" for more information on a command.
To interact with the authorizer endpoint, install grpcui
or grpcurl
and point them to localhost:8282
:
grpcui --insecure localhost:8282
To interact with the directory endpoint, use localhost:9292
:
grpcui --insecure localhost:9292
For more information on APIs, see the docs.
Demo
Credits
Topaz uses a lot of great and amazing open source projects and libraries.
A big thank you to all of them!
Contribution Guidelines
Topaz is a work in progress - if something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!
We welcome contributions from the community! Here are some general guidelines:
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.