Topaz - cloud-native authorization for modern applications and APIs
Topaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.
Authorization policies can leverage user attributes, group membership, application resources, and relationships between them. All data used for authorization is modeled and stored locally in an embedded database, so authorization decisions can be evaluated quickly and efficiently.
Documentation and support
Join the community Slack channel for questions and help!
- Authorization in one place: a single authorization service, instead of spreading authorization logic everywhere.
- Fine-grained: following the Principle of Least Privilege, assign the smallest set of fine-grained permissions to each user or group.
- Policy-based: convert authorization "spaghetti code" into a policy expressed in its own domain-specific language, managed as code, and built into an immutable, signed artifact.
- Real-time: gate each protected resource with an authorization call that ensures the user has the right permission.
- Blazing fast: deploy the authorizer as a sidecar or microservice, right next to your app, for low latency and high availability.
- Comprehensive decision logging: log every decision to facilitate audit trails, compliance, and forensics.
- Flexible authorization model: Start simple, and grow from multi-tenant RBAC to ABAC or ReBAC, or a combination.
- Capture your domain model: Create object types and relationships that reflect your domain model.
- Separation of concerns: application developers can own the app logic, and security engineers can own the authorization policy.
Table of Contents
- Getting Topaz
- Command Line
- gRPC Endpoints
- Demo video
- Contribution Guidelines
topaz is available on Linux, macOS and Windows platforms.
Binaries for Linux, Windows and Mac are available as tarballs in the release page.
Via Homebrew for macOS or LinuxBrew for Linux
brew tap aserto-dev/tap && brew install aserto-dev/tap/topaz
Via a GO install
go install github.com/aserto-dev/topaz/cmd/topaz@latest
Building from source
topaz is currently using go v1.17 or above. In order to build
topaz from source you must:
Clone the repo
Build and run the executable
mage build && ./dist/build_linux_amd64/topaz
Running with Docker
You can run as a Docker container:
docker run -it --rm ghcr.io/aserto-dev/topaz:latest --help
These instructions help you get Topaz up and running as the authorizer for a sample Todo app.
Install Topaz authorizer container image
The Topaz authorizer is packaged as a Docker container. You can get the latest image using the following command:
Install the todo template
Topaz has a set of pre-built templates that contain three types of artifacts:
- an authorization policy
- a domain model (in the form of a manifest file)
- sample data (users, groups, objects, relationships)
You can use the CLI to install the todo template:
topaz templates install todo
This command will install the following artifacts in
│ ├── gateway-ca.crt
│ ├── gateway.crt
│ ├── gateway.key
│ ├── grpc-ca.crt
│ ├── grpc.crt
│ └── grpc.key
│ └── config.yaml
│ ├── citadel_objects.json
│ └── citadel_relations.json
│ └── directory.db
certs/contains a set of generated self-signed certificates for Topaz.
cfg/config.yamlcontains a Topaz configuration file which references the sample Todo policy image. A policy image is an OCI image that contains an OPA policy. For the Todo template, this is the public GHCR image
ghcr.io/aserto-policies/policy-todo:latest. The source code for the policy image can be found here.
data/contains the objects and relations for the Todo template - in this case, a set of 5 users and 4 groups that are based on the "Rick & Morty" cartoon.
db/directory.dbcontains the embedded database which houses the model and data.
model/manifest.yamlcontains the manifest file which describes the domain model.
For a deeper overview of the
cfg/config.yaml file, see topaz config.
What just happened?
Besides laying down the artifacts mentioned, installing the Todo template did the following things:
- started Topaz in daemon (background) mode (see
topaz start --help).
- set the manifest found in
topaz set manifest --help).
- imported the objects and relations found in
topaz import --help).
- opened a browser window to the Topaz console (see
topaz console --help).
Feel free to play around with the Topaz console! Or follow the next few steps to interact with the Topaz policy and authorization endpoints.
Issue an API call
To verify that Topaz is running with the right policy image, you can issue a
curl call to interact with the REST API.
This API call retrieves the set of policies that Topaz has loaded:
curl -k https://localhost:8383/api/v2/policies
Issue an authorization request
Issue an authorization request using the
is REST API to verify that the user Rick is allowed to GET the list of todos:
curl -k -X POST 'https://localhost:8383/api/v2/authz/is' \
-H 'Content-Type: application/json' \
Run the sample application
To run the sample Todo backend in the language of your choice, and see how Topaz is used to authorize requests, refer to the docs.
To start an interactive session with the Topaz endpoints over gRPC, see the gRPC endpoints section.
Command line options
$ topaz --help
Usage: topaz <command>
start start topaz in daemon mode
stop stop topaz instance
status status of topaz daemon process
run run topaz in console mode
manifest get get manifest
manifest set set manifest
manifest delete delete manifest
load load manifest from file
save save manifest to file
import import directory objects
export export directory objects
backup backup directory data
restore restore directory data
test exec execute assertions
test template output assertions template
templates list list template
templates install install template
install install topaz container
configure configure topaz service
update update topaz container version
uninstall uninstall topaz container
version version information
console opens the console in the browser
-h, --help Show context-sensitive help.
--no-check disable local container status check ($TOPAZ_NO_CHECK)
Run "topaz <command> --help" for more information on a command.
To interact with the authorizer endpoint, install
grpcurl and point them to
grpcui --insecure localhost:8282
To interact with the directory endpoint, use
grpcui --insecure localhost:9292
For more information on APIs, see the docs.
Topaz uses a lot of great and amazing open source projects and libraries.
A big thank you to all of them!
Topaz is a work in progress - if something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!
We welcome contributions from the community! Here are some general guidelines:
- File an issue first prior to submitting a PR!
- Ensure all exported items are properly commented
- If applicable, submit a test suite against your PR