Permit's PDP (Policy Decision Point)
A PDP is a network node responsible for answering authorization queries using policies and contextual data. Hence, PDPs should be highly available, performant and physically close to the querying services to minimize latency and ensure high availability.
Permit's PDP essentially becomes your microservice for authorization, bundling together OPA, OPAL and an API Server.
The PDP is easy to install via Docker image, and will ensure zero-latency, great performance, high availability, and improved security. Like all of Permit's customer deployed components, the Permit PDP is open-source and is available publicly from Docker hub.
Use the PDP
There are several ways you can use the PDP for testing and enforcement:
Managed Cloud PDP
Permit.io provides a managed Cloud PDP at https://cloudpdp.api.permit.io which is available globally.
When first trying out Permit, you can connect quickly with the cloud PDP.
- Python
- Node.js
- Go
- Java
- DotNet
- Ruby
from permit import Permit
permit = Permit(
token="[your-api-key]",
pdp="https://cloudpdp.api.permit.io",
)
import { Permit } from "permit";
const permit = new Permit({
token: "[your-api-key]",
pdp: "https://cloudpdp.api.permit.io",
});
package main
import "github.com/permitio/permit-golang/pkg/permit"
import "github.com/permitio/permit-golang/pkg/config"
func main() {
PermitConfig := config.NewConfigBuilder("[your-api-key]")
.WithPdpUrl("https://cloudpdp.api.permit.io")
.Build()
Permit := permit.New(PermitConfig)
}
import io.permit.sdk.Permit;
import io.permit.sdk.PermitConfig;
Permit permit = new Permit(
new PermitConfig.Builder("[your-api-key]")
.withPdpAddress("https://cloudpdp.api.permit.io")
.build()
);
using Permit;
Permit permit = new Permit(
"[your-api-key]",
"https://cloudpdp.api.permit.io"
);
require 'permit'
permit = Permit.new(
"[your-api-key]",
"https://cloudpdp.api.permit.io"
)
Cloud PDP is limited to RBAC policies only and has a 1MB data restriction. You need to deploy a local PDP for ABAC/ReBAC policies.
We recommend deploying a PDP inside your network for production deployments to minimize network latency and ensure high availability.
Run a Local PDP With Docker
You can run a PDP on your local machine as a container on Docker Desktop. You will need this to use ABAC / ReBAC policies.
To run the PDP use the following command:
docker run -it \
-p 7766:7000 \
--env PDP_API_KEY=<your-permit-api-key> \
--env PDP_DEBUG=True \
permitio/pdp-v2:latest
In your application code, use the following PDP address in the Permit client to perform authorization queries.
- Python
- Node.js
- Go
- Java
- DotNet
- Ruby
from permit import Permit
permit = Permit(
token="[your-api-key]",
pdp="http://localhost:7766",
)
import { Permit } from "permit";
const permit = new Permit({
token: "[your-api-key]",
pdp: "http://localhost:7766",
});
package main
import "github.com/permitio/permit-golang/pkg/permit"
import "github.com/permitio/permit-golang/pkg/config"
func main() {
PermitConfig := config.NewConfigBuilder("[your-api-key]")
.WithPdpUrl("http://localhost:7766")
.Build()
Permit := permit.New(PermitConfig)
}
import io.permit.sdk.Permit;
import io.permit.sdk.PermitConfig;
Permit permit = new Permit(
new PermitConfig.Builder("[your-api-key]")
.withPdpAddress("http://localhost:7766")
.build()
);
using Permit;
Permit permit = new Permit(
"[your-api-key]",
"http://localhost:7766"
);
require 'permit'
permit = Permit.new(
"[your-api-key]",
"http://localhost:7766"
)
Production Deployment Models
Permit.io supports all PDP layouts and provides the missing layers on-top of open-source PDP solutions (such as OpenPolicyAgent). These layers include policy delivery and updating, supporting data collection, application level SDKs, application level instrumentation and more.
Custom cloud PDP deployments are available to enterprise tier customers. Those can include different regions, cloud providers, custom SSL/TLS configurations or other specifications.
Please reach out to us at support@permit.io, or schedule a call via this link: https://calendly.com/permitio/
Hosted as a Sidecar
The simplest way to integrate PDPs into a microservices architecture is as sidecars; meaning each microservice has a sidecar container next to it which it can query for policy.
For more information, see the sidecar deployment guide.
Centralized PDP
You can deploy a centralized PDP to handle authorization queries from multiple services.
This way is simple to set up and manage, but as the number of services grows, the PDP can become a bottleneck.
Cluster of PDPs
For high availability and scalability, you can deploy a cluster of PDPs behind a load balancer.
You can use our PDP Helm chart to create a Kubernetes deployment with multiple PDPs. For more information, see the Deploying using Helm guide.
Sharded PDPs
For truly massive data sets needed in the PDP, you can apply sharding to split the data between multiple PDPs within the same cluster.
This is done by using an Envoy Server as proxy to route requests to the relevant PDP based on the tenant. For more information, see the Sharded PDPs guide.
Powered by OPA+OPAL
Permit.io's PDP orchestration is powered by OPAL - an open source project - developed by the team at Permit.io and supported by a large community of developers and users. Check out this talk with the primary authors of OPAL to learn more about the unique realtime architecture:
OPAL's built-in separation of the data plane from the control plane, enables Permit.io users to enjoy the benefits of a fully distributed PDP solution, without having to be dependant on the availability of the Permit.io cloud, or sharing any data with it.