Configuration
Authorization
This document describes how to configure the authorization mechanisms for Flipt v2.
Flipt supports the ability to secure its core API routes by setting the
When authorization is set to
The policy must have the following package declaration:
required field to true on the authorization configuration object.
config.yaml
required, the API will ensure valid credentials are present on all management API requests.
Once authorization has been set to
required: true all management API routes will require a valid authentication session as well.The UI will require a session-compatible authentication method (e.g. OIDC) to be enabled.Backends
Flipt uses Open Policy Agent (OPA) to enforce authorization policies. OPA is a general-purpose policy engine that can be used to enforce policies across the stack. Flipt supports sourcing policies and external data from various backends. Currently, Flipt supports the following backends:Local
Flipt supports loading policy and external data from the local filesystem.Policies
For configuring policies, the files must be valid Rego files. You can specify the path to the policy file in thepolicy object in the authorization configuration object.
policy.rego
Polling Interval
Flipt will poll the policy file for changes at a regular interval. By default, Flipt will poll the policy file every 5 minutes. You can adjust this interval by setting thepoll_interval field in the policy object.
External Data
In addition to policies that can be used to enforce authorization rules, Flipt also provides a way to pass external data to the policy evaluation from the local filesystem. These data objects must be valid JSON objects. This can be done by setting thedata object in the authorization configuration object.
Polling Interval
Like policies, Flipt will poll data files for changes at a regular interval. By default, Flipt will poll the data file every 30 seconds. You can adjust this interval by setting thepoll_interval field in the data object.