DocumentationAccess ControlDeployment

Configuration Reference

View as Markdown

Complete reference for enabling and configuring platform authorization: the auth section in config, Helm values, environment variables, and the choice between embedded and external OPA.

For quickstart setup, see Authentication and Authorization. For OIDC settings, see OIDC Setup.

Enabling Authorization

Authorization is enabled in the platform config by setting auth.enabled: true. This can be done in the platform config file:

1auth:
2 enabled: true

When using Helm, this is done by setting platformConfig.auth.enabled: true in your Helm values; this becomes auth.enabled in the calculated platform config.

1# values.yaml
2
3platformConfig:
4 auth:
5 enabled: true

When auth.enabled is false (the default), all API requests are allowed without checks. When true, every request is evaluated by the Policy Decision Point (PDP). In Helm deployments, this setting is controlled via platformConfig.auth.enabled.

Bootstrap Admin

When authorization is enabled, a platform administrator can be configured. Setting admin_email gives that identity the PlatformAdmin role at platform start. Use it to create the first workspaces and grant roles to other users. After bootstrap, manage access via workspaces and members as described in Managing Access.

1auth:
2 enabled: true
3 admin_email: "your-admin@company.com"

This page covers the auth-specific configuration fields you need to enable and operate authorization. Auth-related values are found under platformConfig.auth in the values file.

For OIDC-specific fields (auth.oidc), see OIDC Setup.

Authorization Engine: Embedded vs External OPA

The PDP can run in two modes. For technical details, see Policy Engine.

Embedded (default)

  • Provider: policy_decision_point_provider: "embedded".
  • The auth service runs a built-in WASM policy engine. No OPA sidecar is required.
  • Policy data (role bindings, scopes, etc.) is loaded from the entity store and refreshed on an interval (policy_data_refresh_interval).

Use embedded for new deployments and when you do not already have an OPA fleet.

External OPA

  • Provider: policy_decision_point_provider: "opa".
  • An external OPA sidecar (or server) fetches policy bundles from the auth service and evaluates requests.
  • Set policy_decision_point_base_url to the OPA service URL (e.g., http://opa:8181).
  • bundle_cache_seconds controls how long OPA caches the bundle.

Use external OPA when you already use OPA for other services or need a single policy engine at the edge.

Environment Variables

Configuration can be overridden with environment variables using the NMP_AUTH_ prefix. Names are derived from the config keys in UPPER_SNAKE_CASE.

Examples:

$NMP_AUTH_ENABLED=true
$NMP_AUTH_POLICY_DECISION_POINT_BASE_URL=http://auth:8000
$NMP_AUTH_POLICY_DECISION_POINT_PROVIDER=embedded
$NMP_AUTH_ADMIN_EMAIL=admin@example.com

Nested keys (e.g., OIDC) use double underscore: NMP_AUTH_OIDC__ISSUER, NMP_AUTH_OIDC__CLIENT_ID.

Example Configurations

Quickstart / development (auth disabled)

1auth:
2 enabled: false

Quickstart / development (auth enabled)

1auth:
2 enabled: true
3 policy_decision_point_provider: embedded
4 policy_decision_point_base_url: "http://localhost:8080"
5 admin_email: "admin@example.com"

Production with embedded PDP

1auth:
2 enabled: true
3 policy_decision_point_base_url: "http://auth:8000"
4 policy_decision_point_provider: embedded
5 policy_data_refresh_interval: 30
6 admin_email: "platform-admin@company.com"
7 oidc:
8 enabled: true
9 issuer: "https://login.microsoftonline.com/<tenant>/v2.0"
10 client_id: "<client-id>"

Production with external OPA

1auth:
2 enabled: true
3 policy_decision_point_base_url: "http://opa:8181"
4 policy_decision_point_provider: opa
5 bundle_cache_seconds: 5