How do I write a custom authorization policy for Topaz?

Topaz uses OPA policies written in Rego. You can define policies in Rego files, build them into OCI images, and reference them in the configuration YAML. Check the policy-todo template source code for an example.

Topaz vs standalone OPA – which should I use?

Topaz builds on OPA by adding a built-in directory for data modeling and management tools, making it more turnkey for relationship-based authorization. Standalone OPA offers more flexibility but requires you to handle data storage and integration separately.

Can Topaz work with external identity providers like Azure AD?

Yes, Topaz can integrate by importing user data into its directory or using OPA's external data features, but it requires custom configuration and might not have out-of-the-box connectors.

Is Topaz good for high-traffic microservices architectures?

Topaz is designed for scalability and low latency as a sidecar, making it suitable for high-traffic environments. However, performance depends on policy complexity and infrastructure tuning.

How to monitor Topaz authorization logs in production?

Topaz logs every decision by default, and you can integrate logs with external monitoring tools via its APIs or use the embedded database for audit trails, as mentioned in the comprehensive logging feature.

Does Topaz support attribute-based access control (ABAC)?

Yes, Topaz supports ABAC by allowing policies to evaluate user attributes, resource properties, and environmental factors through OPA's capabilities, enabling fine-grained dynamic decisions.

Open-Awesome

Topaz

Apache-2.0Gov0.33.14

An open-source authorization service providing fine-grained, policy-based access control for cloud-native applications and APIs.

Visit Website GitHub

1.3k stars44 forks0 contributors

What is Topaz?

Topaz is an open-source authorization service that provides fine-grained, policy-based access control for modern applications and APIs. It centralizes authorization logic using the Open Policy Agent (OPA) as its decision engine and includes a built-in directory for modeling domain data. It solves the problem of scattered authorization code by offering a unified, real-time service that supports RBAC, ABAC, and ReBAC models.

Target Audience

Developers and security engineers building cloud-native applications, microservices, or APIs who need a scalable, centralized authorization solution with flexible policy management.

Value Proposition

Developers choose Topaz for its integration with OPA, built-in Zanzibar-inspired directory, and ability to deploy as a sidecar or microservice for low-latency decisions. It offers a comprehensive, self-hosted alternative to proprietary authorization services with strong policy-as-code and auditing capabilities.

Overview

Cloud-native authorization for modern applications and APIs

Use Cases

Best For

Implementing centralized authorization for microservices architectures
Enforcing fine-grained access control in multi-tenant SaaS applications
Managing policy-as-code for compliance and audit requirements
Building applications that require real-time, low-latency authorization decisions
Transitioning from simple RBAC to more complex ABAC or ReBAC models
Securing APIs with dynamic, relationship-based access policies

Not Ideal For

Applications with basic, unchanging role-based permissions that don't require dynamic or fine-grained control
Teams already using all-in-one identity platforms (e.g., Auth0, Okta) with built-in authorization that meets their needs
Real-time systems where sub-millisecond latency is critical and any network call to an external service is prohibitive
Projects without container or microservices infrastructure, as Topaz is designed for cloud-native deployments

Pros & Cons

Pros

Centralized Policy Management

Enables separation of concerns by allowing security engineers to manage authorization policies as code separately from application logic, as highlighted in the 'Authorization in one place' benefit.

Flexible Authorization Models

Supports evolving from simple RBAC to complex ABAC or ReBAC models, providing adaptability as application needs grow, mentioned in the 'Flexible authorization model' section.

Built-In Directory for Relationships

Includes a Zanzibar-inspired directory for modeling domain objects and relationships stored locally, facilitating fast, relationship-based access control decisions.

Real-Time, Low-Latency Decisions

Can be deployed as a sidecar or microservice for high availability and fast response times, as emphasized in the 'Blazing fast' benefit.

Comprehensive Auditing

Logs every authorization decision to support audit trails, compliance, and forensic analysis, a key feature listed in the benefits.

Cons

Complex Initial Setup

The quickstart involves multiple steps like Docker installation, template setup, and configuration, which can be daunting for newcomers without prior infrastructure experience.

Dependency on OPA and Rego

Requires learning and maintaining OPA policies in the Rego language, adding a learning curve and potential barrier for teams unfamiliar with policy-as-code practices.

Operational Overhead

As a self-hosted service, it necessitates managing certificates, databases, and deployment, increasing DevOps burden compared to managed authorization solutions.

Frequently Asked Questions

Related Projects

spicedb

Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data

Stars6,774

Forks399

Last commit2 days ago

Permify

An open-source authorization as a service inspired by Google Zanzibar, designed to build and manage fine-grained and scalable authorization systems for any application. — Permify is now part of FusionAuth 🎉

Stars5,893

Forks319

Last commit2 days ago

Open Policy Administration Layer

Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...)

Stars5,466

Forks283

Last commit3 days ago

Warrant

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Stars1,334

Forks52

Last commit6 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub

Topaz

Apache-2.0Gov0.33.14

An open-source authorization service providing fine-grained, policy-based access control for cloud-native applications and APIs.

Visit Website GitHub

1.3k stars44 forks0 contributors

What is Topaz?

Target Audience

Developers and security engineers building cloud-native applications, microservices, or APIs who need a scalable, centralized authorization solution with flexible policy management.

Value Proposition

Overview

Cloud-native authorization for modern applications and APIs

Use Cases

Best For

Implementing centralized authorization for microservices architectures
Enforcing fine-grained access control in multi-tenant SaaS applications
Managing policy-as-code for compliance and audit requirements
Building applications that require real-time, low-latency authorization decisions
Transitioning from simple RBAC to more complex ABAC or ReBAC models
Securing APIs with dynamic, relationship-based access policies

Not Ideal For

Applications with basic, unchanging role-based permissions that don't require dynamic or fine-grained control
Teams already using all-in-one identity platforms (e.g., Auth0, Okta) with built-in authorization that meets their needs
Real-time systems where sub-millisecond latency is critical and any network call to an external service is prohibitive
Projects without container or microservices infrastructure, as Topaz is designed for cloud-native deployments

Pros & Cons

Pros

Centralized Policy Management

Enables separation of concerns by allowing security engineers to manage authorization policies as code separately from application logic, as highlighted in the 'Authorization in one place' benefit.

Flexible Authorization Models

Supports evolving from simple RBAC to complex ABAC or ReBAC models, providing adaptability as application needs grow, mentioned in the 'Flexible authorization model' section.

Built-In Directory for Relationships

Includes a Zanzibar-inspired directory for modeling domain objects and relationships stored locally, facilitating fast, relationship-based access control decisions.

Real-Time, Low-Latency Decisions

Can be deployed as a sidecar or microservice for high availability and fast response times, as emphasized in the 'Blazing fast' benefit.

Comprehensive Auditing

Logs every authorization decision to support audit trails, compliance, and forensic analysis, a key feature listed in the benefits.

Cons

Complex Initial Setup

The quickstart involves multiple steps like Docker installation, template setup, and configuration, which can be daunting for newcomers without prior infrastructure experience.

Dependency on OPA and Rego

Requires learning and maintaining OPA policies in the Rego language, adding a learning curve and potential barrier for teams unfamiliar with policy-as-code practices.

Operational Overhead

As a self-hosted service, it necessitates managing certificates, databases, and deployment, increasing DevOps burden compared to managed authorization solutions.

Frequently Asked Questions

Related Projects

spicedb

Open Source, Google Zanzibar-inspired database for scalably storing and querying fine-grained authorization data

Stars6,774

Forks399

Last commit2 days ago

Permify

Stars5,893

Forks319

Last commit2 days ago

Open Policy Administration Layer

Policy and data administration, distribution, and real-time updates on top of Policy Agents (OPA, Cedar, ...)

Stars5,466

Forks283

Last commit3 days ago

Warrant

Warrant is a highly scalable, centralized authorization service based on Google Zanzibar. Use it to define, enforce, query, and audit application authorization and access control.

Stars1,334

Forks52

Last commit6 months ago

Community-curated · Updated weekly · 100% open source

Found a gem we're missing?

Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.

Submit a project Star on GitHub