We launched new developer portal. For the latest documentation visit developer.cloudentity.com

Pyron Authorizer configuration reference

This article contains a reference for Pyron Authorizer configuration and instructions how you can apply your settings to the authorizer.

Configuring Pyron Authorizer

ACP’s Pyron Authorizer configuration is handled by setting environment variables. The variables and their values can be provided in two ways:

  • In the docker-compose.yml file, for example:

    pyron-authorizer:
     container_name: pyron-authorizer
     image: docker.cloudentity.io/pyron-authorizer:2.0.0-2
     env_file: .authorizer_env
     environment:
       - ACP_RELOAD_INTERVAL=5s
    

    You can see that the ACP_RELOAD_INTERVAL variable is set under the environment object.

  • In a separate file that stores all of the environment variables for your authorizer’s deployment. See example for an .authorizer_env file below:

    ACP_ISSUER_URL={YOUR_ISSUER_URL}
    ACP_CLIENT_ID={YOUR_CLIENT_ID}
    ACP_CLIENT_SECRET={YOUR_CLIENT_SECRET}
    

    After you create your file with the variables, you need to point your authorizer’s deployment to your file path in the docker-compose.yml file. See example below:

    pyron-authorizer:
     container_name: pyron-authorizer
     image: docker.cloudentity.io/pyron-authorizer:2.0.0-2
     env_file: .authorizer_env
    

    You can see that the env_file object is pointing to your .authorizer_env file with the variables.

    .authorizer_env

    The Pyron Gateway package that you download to set up your APIs and the authorizer already contains the .authorizer_env file. You can edit it or provide a different file with the variables. As the name of the file starts with the dot, the file is hidden by default. If you were, for example, to execute the ls command, the file would not be listed. You need to use the ls -a to be able to list the .authorizer_env file. On macOS, you can also press SHIFT + CMD + . while browsing in Finder to show hidden files.

Configuration reference

 # acp
acp:
    reload_interval: 1m0s # reload interval
    reload_timeout: 30s # reload configuration timeout
    issuer_url: https://localhost:8443/sample/system # issuer url
    client_id: bqesdrc4m4co2s81mpu0 # client id
    client_secret: LH6mAb6PNljvjYMIF-A5RP2bElA5a5bnQah8sG0fsLA # client secret
    tenant_id: "" # tenant id
    server_id: "" # server id
    force_introspection: false # force token introspection even for jwts
# http client
http_client:
    timeout: 10s # http client timeout
    retry_wait_min: 0s # minimum time to wait between retries
    retry_wait_max: 0s # maximum time to wait between retries
    retry_max: 0 # maximum number of retries
    root_ca: "" # root ca that this client should trust (defaults to system root ca)
    insecure_skip_verify: false # disable cert verification
    disable_follow_redirects: false # disable follow redirects
    disable_retry: true # disable retry
# metrics
metrics:
    enabled: false # enable metrics endpoint
    port: 9000 # metrics endpoint port
# analytics
analytics:
    enabled: true # when enabled, events are sent to audit log
    # event format
    event_format:
        include_policy_output: false # when enabled, policy evaluation output is sent to audit log
    # sampling
    sampling:
        probability: 1 # Probability of an event to be published (0.0-1.0)
        batch_inverval: 1s # Max duration to wait for a batch to publish
        batch_limit: 100 # Max number of events in a batch
        limit: 5 # Max number of batches per second to be published
        timeout: 5s # Timeout for a single batch to send
        workers: 8 # Number of sending workers
# cache
cache:
    ttl: 10s # ttl
    max_size: 100 # max size
# logging config
logging:
    level: info # log level severity
# token echange config
token_exchange:
    enabled: false # enable token exchange
    # cache
    cache:
        ttl: 1m0s # ttl
        max_size: 1000 # max size
    # inject config (supported only for istio authorizer)
    inject:
        mode: "" # Defines what token should be sent to the target service when token is exchanged
        # headers config
        headers:
            exchanged_token: "" # Defines the name of the header that contains an exchanged token.
            original_token: "" # Defines the name of the header that contains an original token.
            strip_bearer: false # Allows to strip the bearer prefix in headers
# enforcement config
enforcement:
    allow_unknown: false # allow requests with no matching rule
# http server
http_server:
    port: 8442 # http port
    dangerous_disable_tls: true # diables TLS
    # certificate configuration
    certificate:
        password: "" # key passphrase
        cert_path: "" # path to the certificate PEM file
        key_path: "" # path to the key PEM file
        cert: "" # base64 encoded cert PEM
        key: "" # base64 encoded key PEM
        generated_key_type: ecdsa # type for generated key if cert and key are not provided (rsa or ecda)
    client_auth_type: 0 # client auth type