Policy Decision Points are responsible for making authorization decisions based on the organization's authorization policy. After evaluating the authorization request against the policies created within build.security, the PDP determines whether or not access to the resource will be allowed or denied.
Within the build.security project, you can manage multiple PDP configurations. Each PDP configuration defines the necessary details to deploy a PDP in your organizational environment whice pull the authorization policies that will determine the authorization decision.
When you open the PDP navigation option, all currently defined PDPs are listed in the table in the main display area.
For each PDP configuration, the following information is displayed:
Indicates the name of the PDP configuration.
Note that each name must be unique in the project. When you click on (>) next to the name of a configuration, the view expands to offer additional details about the PDP including information about the API key and a list of all instances authenticated with build.security using this configuration API key and secret. For more information about what is displayed in the expanded view, see the following section.
Creation Date (UTC)
The date and time that the PDP was created.
Last Update (UTC)
The last time (UTC) the PDP was updated (that the name or description was changed).
On the Policy Decision Points screen, you can:
You can also access additional information about each PDP by clicking >. The row expands to display the following information:
Creation date and last update of the API key (in UTC).
Deployment instructions (see Deploying a build.security PDP).
IP address (the internal IP address of the machine running the configuration).
Status of the connection between the PDP and the build.security control plane (green confirms communication between the two; red indicates build.security is currently not in communication with the PDP).
Last seen (UTC time).
Policies: a list of policies that have been published to the PDP for evaluation of authorization requests.
Version number of the PDP instance.
Remove from list option: deletes old records that are inactive. A new record will be added when the PDP authenticates with the control plane.
A docker running an OPA-based Policy Decision Point (PDP) in your cluster gets the authorization request from your API application (PEP). The PDP makes the authorization decisions according to the cached policy and specific configurations received from the control plane.
Upon making the decision, the organization's PDP returns the decision to build.security and sends its decision to the PEP, which is responsible for enforcing.
Following this, based on the configuration settings, the PDP sends the authorization decision to be logged in the decision log table.