Overview

Topaz is meant to be deployed as a sidecar (or as a local service), right next to your application. The application can use Topaz to externalize its authorization decisions.

The Topaz authorizer uses the Open Policy Agent (OPA) to compute a decision based on a policy, user context, and data stored in the Topaz directory.

An application can interact with the Authorizer through a set of gRPC or HTTPS REST APIs.

A Topaz user can also interact with the authorizer through the topaz authorizer commands.

Authorizer API categories

The Authorizer provides the following APIs to calling applications.

Authorization (authz) - perform authorization queries
Policies (policies) - return information about loaded policies
Information (info) - return build information

REST APIs

The REST APIs are all exposed with the /api/v2 URL prefix. By default, the Topaz REST APIs are hosted on https://localhost:8383. For example, the policies REST API can be called in the following way:

curl -k https://localhost:8383/api/v2/policies

The Authorizer REST APIs are documented here.

gRPC APIs

By default, the gRPC APIs are hosted on localhost:8282. grpcui represents a convenient way to browse the gRPC APIs:

brew install grpcui

grpcui --insecure localhost:8282

The Authorizer gRPC APIs are documented here.

Authorizer API categories​

REST APIs​

gRPC APIs​

Authorizer API categories

REST APIs

gRPC APIs