Skip to main content

Configurations

Using environment variables, you can configure the PDP to suit your needs. Since the PDP uses OPAL under the hood, all of OPAL Configurations are also available with a OPAL_ prefix. PDP specific configurations are available with a PDP_ prefix.

info

PDP versions follow Semantic Versioning conventions. Hence, minor versions (e.g., 1.2.3 to 1.2.4) do not introduce breaking changes. For further details and more information, see SemVer

PDP Configurations

PDP_API_KEY

Default: MUST BE DEFINED

The API key used to authenticate the PDP against Permit.io. See more details about API Keys

note

This is a required configuration. The key must be an Environment-level API Key.

PDP_CONTROL_PLANE

Default: https://api.permit.io

The URL of the Permit.io control plane.

PDP_DEBUG

Default: None

PDP debug mode configuration. There available configurations are:

  • PDP_DEBUG=None - The default behavior, will use the configuration set by Permit.io Cloud.
  • PDP_DEBUG=True - Will enable Debug Mode for this specific PDP.
  • PDP_DEBUG=False - Will disable Debug Mode for this specific PDP.

For more detailed configuration about the PDP Debug Mode, please check the full documentation here.

PDP_SHARD_ID

Default: None

The shard id of this PDP, used to identify the PDP in the control plane

PDP_CONTROL_PLANE_PDP_DELTAS_API

Default: https://pdp-deltas.api.permit.io

The URL of the Permit.io PDP Deltas API.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

PDP_CONTROL_PLANE_RELAY_API

Default: https://opal-relay.api.permit.io

The URL of the Permit.io Relay API.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

PDP_CONTROL_PLANE_RELAY_JWT_TIER

Default: https://relay-jwt.api.permit.io

The URL of the Permit.io Relay JWT API.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

PDP_BACKEND_SERVICE_URL

Default: https://api.permit.io/v2

The Permit.io service URL where proxy requests are sent.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

PDP_BACKEND_LEGACY_URL

Default: https://api.permit.io/sdk

The legacy Permit.io service URL where proxy requests are sent.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

PDP_REMOTE_CONFIG_ENDPOINT

Default: /v2/pdps/me/config

The control plane route to fetch policy data topics.

PDP_REMOTE_STATE_ENDPOINT

Default: /v2/pdps/me/state

The control plane route to push state changes.

PDP_DECISION_LOG_DEBUG_INFO

Default: True

Log verbose debug information about decision logs.

PDP_PRINT_CONFIG_ON_STARTUP

Default: False

Print the PDP configuration on startup.

PDP_ENABLE_MONITORING

Default: False

Enables Datadog APM tracing.

PDP_CENTRAL_LOG_DRAIN_URL

Default: https://listener.logz.io:8071

The URL for centralized logging.

PDP_CENTRAL_LOG_DRAIN_TIMEOUT

Default: 5

The timeout for the centralized log drain, in seconds.

PDP_CENTRAL_LOG_TOKEN

Default: None

The token used for centralized logging.

PDP_CENTRAL_LOG_ENABLED

Default: False

Forward logs to the centralized logging service.

danger

This feature is deprecated and will be removed in future versions.

PDP_PING_INTERVAL

Default: 10

The interval for pinging the control plane, in seconds.

PDP_OPA_CLIENT_QUERY_TIMEOUT

Default: 1

The timeout for querying OPA for an allow decision, in seconds. 0 means no timeout.

PDP_OPA_CLIENT_FAILURE_THRESHOLD

Default: 0.1

The percentage of failed requests to OPA that will trigger a failure, causing the healthcheck to fail.

PDP_OPA_CLIENT_FAILURE_THRESHOLD_INTERVAL

Default: 60

The interval to calculate the failure threshold, in seconds.

PDP_OPA_CONFIG_FILE_PATH

Default: ~/opa/config.yaml

The path on the container for OPA config file.

PDP_OPA_AUTH_POLICY_FILE_PATH

Default: ~/opa/basic-authz.rego

The path on the container for OPA authorization policy (rego file).

PDP_OPA_BEARER_TOKEN_REQUIRED

Default: True

If true, all API calls to OPA must provide a bearer token (the value of CLIENT_TOKEN).

PDP_OPA_DECISION_LOG_ENABLED

Default: True

If true, OPA decision logs will be uploaded to the Permit.io cloud console.

PDP_OPA_DECISION_LOG_CONSOLE

Default: False

If true, OPA decision logs will also be printed to console (only relevant if OPA_DECISION_LOG_ENABLED is true).

PDP_OPA_DECISION_LOG_INGRESS_ROUTE

Default: /v2/decision-logs/ingress

The route on Permit.io the decision logs will be uploaded to.

PDP_OPA_DECISION_LOG_INGRESS_BACKEND_TIER_URL

Default: https://decision-log-ingress.api.permit.io

The URL that decision logs will be uploaded to. Automatically configured by the control plane.

PDP_OPA_DECISION_LOG_MIN_DELAY

Default: 1

The minimum amount of time (in seconds) to wait between decision log uploads.

When unable to upload logs, the PDP performs an exponential backoff up to PDP_OPA_DECISION_LOG_MAX_DELAY until a successful upload.

PDP_OPA_DECISION_LOG_MAX_DELAY

Default: 10

The maximum amount of time (in seconds) to wait between decision log uploads.

PDP_OPA_DECISION_LOG_UPLOAD_SIZE_LIMIT

Default: 65536

Log upload size limit in bytes. OPA will chunk uploads to cap message body to this limit.

PDP_ALLOW_METRICS_UNAUTHENTICATED

Default: False

If true, the /metrics endpoint will be accessible without authentication.

PDP_LOCAL_FACTS_WAIT_TIMEOUT

Default: 10

When using SDK proxy facts via PDP, the default time to wait for the facts to be available, in seconds.

PDP_TEMP_LOG_FORMAT

Default: <green>{time}</green> | {process} | <blue>{name: <40}</blue>|<level>{level:^6} | {message}</level>

Change this parameter to change the log format (e.g. remove colors).

PDP_LOCAL_FACTS_TIMEOUT_POLICY

Default: ignore

The policy to use when the PDP fails to apply a data update within the timeout period.

  • ignore: Respond immediately when data update did not apply within the timeout period
  • fail: Respond with 424 status code when data update did not apply within the timeout period

PDP_DATA_UPDATE_CALLBACKS

Default: []

List of data update callbacks to be called when data is updated. For example:

[
  {
    "url": "http://example.com/callback",
    "key": "example",  // optional
    "config": {  // optional
      "headers": {
        "Authorization":  "Bearer token"
      },
      "method": "GET",
      "data": {
        "key": "value"
      }
    }
  }
]

The default config is: {"method": "POST"}.

For more information, see the CallbackEntry interface.

note

Data update callbacks can increase data synchronization latency. Optimize the callback endpoint to handle expected loads efficiently.

PDP_FACTDB_ENABLED

Default: False

Enable FactDB for this PDP. For more information, see the FactDB documentation.

OPAL Configurations

note

The list below includes only the configurations that are most commonly used. Additional configurations are available in the OPAL documentation.

OPAL_SERVER_URL

Default: https://opal-v2.permit.io

The URL of the OPAL server.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

OPAL_SERVER_WS_URL

Default: wss://opal-v2.permit.io

The WebSocket URL of the OPAL server.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

OPAL_CLIENT_TOKEN

Default: automatically configured

The client token used to authenticate the PDP against the OPAL server.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

OPAL_INLINE_OPA_ENABLED

Default: True

When enabled, run OPA inside the PDP server.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

OPAL_INLINE_OPA_LOG_FORMAT

Default: none

The log format for OPA logs.

  • none - no logs
  • minimal - only the event name is logged
  • http - log HTTP method, path, and status code
  • full - log the entire data returned

OPAL_INLINE_CEDAR_ENABLED

Default: True

When enabled, run Cedar inside the PDP server.

info

This configuration is controlled by Permit.io, changing it can cause your PDP to malfunction.

OPAL_INLINE_CEDAR_LOG_FORMAT

Default: none

The log format for Cedar logs.

  • none - no logs
  • minimal - only the event name is logged
  • http - log HTTP method, path, and status code
  • full - log the entire data returned

OPAL_FETCHING_WORKER_COUNT

Default: 6

The number of workers to use for fetching data concurrently.

OPAL_FETCHING_CALLBACK_TIMEOUT

Default: 60

The timeout for fetching the callback, in seconds.

OPAL_FETCHING_ENQUEUE_TIMEOUT

Default: 10

The timeout for queueing a fetch, in seconds.

OPAL_ENABLE_DATADOG_APM

Default: False

Enables Datadog APM tracing.

note

Additional configurations are available in the OPAL documentation.

OPAL_LOG_DIAGNOSE

Default: False

Include diagnosis in log messages.

danger

When OPAL_LOG_DIAGNOSE is set to True, it may print sensitive information, including secrets.

note

Additional configurations are available in the OPAL documentation.

OPAL_LOG_SERIALIZE

Default: False

Serialize log records as JSON format to STDERR (useful for log aggregation services)

note

Additional configurations are available in the OPAL documentation.

Additional Configurations

UVICORN_NUM_WORKERS

Default: 1

The number of parallel workers to run the PDP server on.

UVICORN_PORT

Default: 7000

The port to run the PDP server on.

GUNICORN_TIMEOUT

Default: 600

Maximum idle / unresponsive time before a worker is killed, in seconds. For more information, see the Gunicorn documentation.

Contents