Once authorization has been set to required: true all management API routes will require a valid authentication session as well.

The UI will require a session-compatible authentication method (e.g. OIDC) to be enabled.

Flipt supports the ability to secure its core API routes by setting the required field to true on the authorization configuration object.

config.yaml
authorization:
  required: true

When authorization is set to required, the API will ensure valid credentials are present on all management API requests.

See the Authorization: Overview documentation for more details on Flipt’s API authorization handling.

Backends

Flipt uses Open Policy Agent (OPA) to enforce authorization policies. OPA is a general-purpose policy engine that can be used to enforce policies across the stack.

Flipt supports sourcing policies and external data from various backends. Currently, Flipt supports the following backends:

Local

Flipt supports loading policy and external data from the local filesystem.

Policies

For configuring policies, the files must be valid Rego files.

You can specify the path to the policy file in the policy object in the authorization configuration object.

authorization:
  required: true
  backend: local
  local:
    policy:
      path: "policy.rego"

The policy must have the following package declaration:

policy.rego
package flipt.authz.v1

You can learn more about policies in our Authorization: Overview documentation.

Polling Interval

Flipt will poll the policy file for changes at a regular interval. By default, Flipt will poll the policy file every 5 minutes. You can adjust this interval by setting the poll_interval field in the policy object.

authorization:
  required: true
  backend: local
  local:
    policy:
      path: "policy.rego"
      poll_interval: "1m"

External Data

In addition to policies that can be used to enforce authorization rules, Flipt also provides a way to pass external data to the policy evaluation from the local filesystem. These data objects must be valid JSON objects.

This can be done by setting the data object in the authorization configuration object.

authorization:
  required: true
  backend: local
  local:
    policy:
      path: "policy.rego"
    data:
      path: "data.json"

You can learn more about using data with policies in our Authorization: Overview documentation.

Polling Interval

Like policies, Flipt will poll data files for changes at a regular interval. By default, Flipt will poll the data file every 30 seconds. You can adjust this interval by setting the poll_interval field in the data object.

authorization:
  required: true
  backend: local
  local:
    data:
      path: "data.json"
      poll_interval: "1m"

Bundle

Flipt supports loading policy and external data from OPA bundles. Bundles are a way to package policy and data files together as a single unit.

You can read more about creating and using OPA bundles in the OPA documentation.

Bundles can be hosted on a remote server and downloaded by Flipt at regular intervals. Some of the services that OPA bundles support out of the box include:

Bundle support is enabled by setting the backend field to bundle in the authorization configuration object.

The bundle backend requires a valid configuration object to be set. This configuration definition is the same as the OPA bundle service configuration.

authorization:
  required: true
  backend: bundle
  bundle:
    configuration: |
      services:
      - name: acmecorp
        url: https://example.com/service/v1
        credentials:
          bearer:
            token: "bGFza2RqZmxha3NkamZsa2Fqc2Rsa2ZqYWtsc2RqZmtramRmYWxkc2tm"

      bundles:
        authz:
          service: acmecorp
          resource: somedir/bundle.tar.gz
          polling:
            min_delay_seconds: 10
            max_delay_seconds: 20

Object

Similar to our object storage support for Flipt flag data, Flipt also supports loading policy and external data from object storage.

Technically, this is a subset of the bundle backend, but it is useful for those who want to provide a simplified configuration for loading policy and data from object storage, without the need to configure the bundle service directly.

The object backend requires a valid type to be configured. This is similar to the object storage configuration for Flipt flag data as it also requires valid credentials to access the object storage service.

The credentials are read from environment variables at Flipt start time.

AWS_ACCESS_KEY_ID=...
AWS_SECRET_ACCESS_KEY=...

authorization:
  required: true
  backend: object
  object:
    type: s3
    s3:
      region: us-east-1
      bucket: flipt_policy_bundles
      # optional: bucket prefix for locating bundle files
      prefix: production
      # optional: for non-AWS hosted S3
      endpoint: http://localhost:9009

Currently, Flipt only supports the s3 object storage type directly. If you require support for other object storage types, please let us know.

Alternatively, as a workaround, you can use the bundle backend to load policy and data from other object storage types. Follow the OPA bundle documentation for more information.