Authzed is a database and service that stores, computes, and validates your application’s permissions.
Developers create a schema that models their permissions requirements and use a client library, such as this one, to apply the schema to the database, insert data into the database, and query the data to efficiently check permissions in their applications.
See CONTRIBUTING.md for instructions on how to contribute and perform common tasks like building the project and running tests.
If you’re using a modern version of Go, run the following command to install:
go install github.com/authzed/prom-authzed-proxy
If you want a container of the proxy and have docker installed:
docker pull quay.io/authzed/prom-authzed-proxy:latest
Running against localhost
The following command will run the proxy that checks the permissions against authzed.com and a Prometheus running on localhost:
prom-authzed-proxy \ --upstream-prom-addr http://localhost:9090 \ --object-id-parameter install \ --authzed-token tc_client_token_1234deadbeef \ --authzed-subject-definition-path psystem/token \ --authzed-subject-relation ... \ --authzed-object-definition-path psystem/prometheus \ --authzed-permission viewer
Each request is checked to have a value as a Bearer Token that is a
viewer of the value in the PromQL label
install with their respective Authzed Object Types.
If the permission check fails, the proxy will return an HTTP 403.
- Prometheus – industry standard time series database
- prom-label-proxy – proxy that enforces labels in PromQL
- kube-rbac-proxy – proxy that authorizes requests with Kubernetes cluster RBAC, sometimes used with prom-label-proxy