A PDP is a network node in an application that provides an endpoint to test for policy decisions- i.e. services may ask the PDP if specific actions or requests are allowed according to the set policy. The PDP essentially becomes your microservice for authorization, and can be deployed as a side-car, cluster, or even as a single instance (for light workload scenarios). PDPs need to be highly available, performant and physically close to the querying services to avoid latency.
The most straightforward way to integrate PDPs into a microservices architecture is as sidecars - meaning each microservice has a sidecar container next to it which it can query for policy. Other topologies include centralized PDP, gateway to PDP (i.e. filtering requests at API gateways or proxies).
Permit.io supports all PDP layouts and provides the missing layers on-top of open-source PDP solutions (such as OpenPolicyAgent). These layers include policy delivery and updating, supporting data collection, application level SDKs, application level instrumentation and more.
The Permit.io PDP (Which by default bundles together OPA, OPAL, and an API server) is available publicly from Docker hub.
Hosted/Managed cloud PDP option
While we recommend a local PDP for production deployments, a Cloud PDP option is available upon demand and can be deployed for you at the same cloud/region as your application (to minimize network latency as much as possible) Reach out to us at email@example.com, or in the Slack community with your cloud region to setup cloud PDP (will be available in self-service in near future.)
Powered by OPA+OPAL
Permit.io's PDP orchestration is powered by OPAL - an open source project - developed by the team at Permit.io and supported by a large community of developers and users. Check out this talk with the primary authors of OPAL to learn more about the unique realtime architecture:
OPAL's built-in separation of the data plane from the control plane, enables Permit.io users to enjoy the benefits of a fully distributed PDP solution, without having to be dependant on the availability of the Permit.io cloud, or sharing any data with it.