Home

Awesome

<img src="assets/logo.svg" alt="topaz logo">

Topaz - cloud-native authorization for modern applications and APIs

Go Report Card ci Apache 2.0 GitHub release (latest SemVer) CII Best Practices <img src="https://img.shields.io/badge/slack-@asertocommunity-yellow.svg?logo=slack"> <img src="https://img.shields.io/badge/docs-%F0%9F%95%B6-blue"> <a href="https://twitter.com/intent/follow?screen_name=aserto_com"><img src="https://img.shields.io/badge/Follow-aserto__com-blue?style=flat&logo=twitter"></a>

Topaz is an open-source authorization service providing fine-grained, real-time, policy-based access control for applications and APIs.

It uses the Open Policy Agent (OPA) as its decision engine, and provides a built-in directory that is inspired by the Google Zanzibar data model.

Authorization policies can leverage user attributes, group membership, application resources, and relationships between them. All data used for authorization is modeled and stored locally in an embedded database, so authorization decisions can be evaluated quickly and efficiently.

<img src="assets/topaz_model_viz.gif" alt="topaz model visualization">

Documentation and support

Read more at topaz.sh and the docs.

Join the community Slack channel for questions and help!

Benefits

Table of Contents

Getting Topaz

Installation

topaz is available on Linux, macOS and Windows platforms.

Building from source

topaz is currently using golang v1.22.* to compile, go.mod files are pinned to 1.21 or lower. In order to build topaz from source you must:

  1. Clone the repo

  2. Build and run the executable

    make build && ./dist/build_linux_amd64/topaz
    

Running with Docker

You can run as a Docker container:

docker run -it --rm ghcr.io/aserto-dev/topaz:latest --help

Quickstart

These instructions help you get Topaz up and running as the authorizer for a sample Todo app.

Install Topaz authorizer container image

The Topaz authorizer is packaged as a Docker container. You can get the latest image using the following command:

topaz install

NOTE: If you get the following errors/warnings from Topaz commands:

Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

Be sure to allow the default Docker socket to be used in your Docker Desktop Advanced settings.

Install the todo template

Topaz has a set of pre-built templates that contain three types of artifacts:

You can use the CLI to install the todo template:

topaz templates install todo

Artifacts

This command will install the following artifacts in $HOME/.config/topaz/:

tree $HOME/.config/topaz
/Users/ogazitt/.config/topaz
├── cfg
│   └── todo.yaml
├── todo
│   ├── data
│   │   ├── citadel_objects.json
│   │   ├── citadel_relations.json
│   │   ├── todo_objects.json
│   │   └── todo_relations.json
│   └── model
│       └── manifest.yaml
└── topaz.json
tree ~/.local/share/topaz
/Users/ogazitt/.local/share/topaz
├── certs
│   ├── gateway-ca.crt
│   ├── gateway.crt
│   ├── gateway.key
│   ├── grpc-ca.crt
│   ├── grpc.crt
│   └── grpc.key
├── db
│   └── todo.db
└── tmpl
    └── todo
        ├── data
        │   ├── citadel_objects.json
        │   ├── citadel_relations.json
        │   ├── todo_objects.json
        │   └── todo_relations.json
        └── model
            └── manifest.yaml

For a deeper overview of the cfg/config.yaml file, see topaz configuration.

What just happened?

Besides laying down the artifacts mentioned, installing the Todo template did the following things:

Feel free to play around with the Topaz console! Or follow the next few steps to interact with the Topaz policy and authorization endpoints.

Issue an API call

To verify that Topaz is running with the right policy image, you can issue a curl call to interact with the REST API.

This API call retrieves the set of policies that Topaz has loaded:

curl -k https://localhost:8383/api/v2/policies

Issue an authorization request

Issue an authorization request using the is REST API to verify that the user Rick is allowed to GET the list of todos:

curl -k -X POST 'https://localhost:8383/api/v2/authz/is' \
-H 'Content-Type: application/json' \
-d '{
     "identity_context": {
          "type": "IDENTITY_TYPE_SUB",
          "identity": "rick@the-citadel.com"
     },
     "policy_context": {
          "path": "todoApp.GET.todos",
          "decisions": ["allowed"]
     }
}'

Run the sample application

To run the sample Todo backend in the language of your choice, and see how Topaz is used to authorize requests, refer to the docs.

To start an interactive session with the Topaz endpoints over gRPC, see the gRPC endpoints section.

Command line options

topaz --help
Usage: topaz <command> [flags]

Topaz CLI

Commands:
  run                run topaz in console mode
  start              start topaz in daemon mode
  stop               stop topaz instance
  restart            restart topaz instance
  status             status of topaz daemon process
  manifest           manifest commands
  templates          template commands
  console            open console in the browser
  directory (ds)     directory commands
  authorizer (az)    authorizer commands
  config             configure topaz service
  certs              cert commands
  install            install topaz container
  uninstall          uninstall topaz container
  update             update topaz container version
  version            version information

Flags:
  -h, --help        Show context-sensitive help.
  -N, --no-check    disable local container status check ($TOPAZ_NO_CHECK)
  -L, --log         log level

Run "topaz <command> --help" for more information on a command.

gRPC Endpoints

To interact with the authorizer endpoint, install grpcui or grpcurl and point them to localhost:8282:

grpcui --insecure localhost:8282

To interact with the directory endpoint, use localhost:9292:

grpcui --insecure localhost:9292

For more information on APIs, see the docs.

Demo

demo

Credits

Topaz uses a lot of great and amazing open source projects and libraries.

A big thank you to all of them!

Contribution Guidelines

Topaz is a work in progress - if something is broken or there's a feature that you want, please file an issue and if so inclined submit a PR!

We welcome contributions from the community! Here are some general guidelines: