Skip to main content
Version: 2.0.0

Permit's PDP (Policy Decision Point)

A PDP is a network node responsible for answering authorization queries using policies and contextual data. Hence, PDPs should be highly available, performant and physically close to the querying services to minimize latency and ensure high availability.

Permit's PDP essentially becomes your microservice for authorization, bundling together OPA, OPAL and an API Server.

The PDP is easy to install via Docker image, and will ensure zero-latency, great performance, high availability, and improved security. Like all of Permit's customer deployed components, the Permit PDP is open-source and is available publicly from Docker hub.

Deploying the PDP

Permit.io supports all PDP layouts and provides the missing layers on-top of open-source PDP solutions (such as OpenPolicyAgent). These layers include policy delivery and updating, supporting data collection, application level SDKs, application level instrumentation and more. Read about the various layouts you can deploy the PDP with here.

There are several ways you can deploy the PDP:

Managed Cloud PDP

Permit.io provides a managed Cloud PDP at https://cloudpdp.api.permit.io which is available globally.

When first trying out Permit, you can connect quickly with the cloud PDP.

from permit import Permit

permit = Permit(
    token="[your-api-key]",
    pdp="https://cloudpdp.api.permit.io",
)
note

Cloud PDP is limited to RBAC policies only, with 1MB data restriction. For ABAC / ReBAC policies, you need to deploy a local PDP.

For production deployments, we recommend deploying a local PDP to minimize network latency and ensure high availability.

info

Custom cloud PDP deployments are available to enterprise tier customers. Those can include different regions, cloud providers, custom SSL/TLS configurations or other specifications.

Please reach out to us at support@permit.io, or schedule a call via this link: https://calendly.com/permitio/

Hosted as a Sidecar

The simplest way to integrate PDPs into a microservices architecture is as sidecars; meaning each microservice has a sidecar container next to it which it can query for policy.

For more information, see the sidecar deployment guide.

Centralized PDP

You can deploy a centralized PDP to handle authorization queries from multiple services.

This way is simple to set up and manage, but as the number of services grows, the PDP can become a bottleneck.

Cluster of PDPs

For high availability and scalability, you can deploy a cluster of PDPs behind a load balancer.

You can use our PDP Helm chart to create a Kubernetes deployment with multiple PDPs. For more information, see the Deploying using Helm guide.

Sharded PDPs

For truly massive data sets needed in the PDP, you can apply sharding to split the data between multiple PDPs within the same cluster.

This is done by using an Envoy Server as proxy to route requests to the relevant PDP based on the tenant. For more information, see the Sharded PDPs guide.

Powered by OPA+OPAL

Permit.io's PDP orchestration is powered by OPAL - an open source project - developed by the team at Permit.io and supported by a large community of developers and users. Check out this talk with the primary authors of OPAL to learn more about the unique realtime architecture:

OPAL's built-in separation of the data plane from the control plane, enables Permit.io users to enjoy the benefits of a fully distributed PDP solution, without having to be dependant on the availability of the Permit.io cloud, or sharing any data with it.

Contents