The SQL Authorizer can be deployed via Helm chart or as a Docker container, providing flexibility for both Kubernetes-based and standalone environments. Each method supports the same core functionality and allows you to configure connectivity to SQL databases or BigQuery
This guide provides instructions for deploying the SQL Authorizer using Helm and Docker, including configuration details, examples for different deployment modes, and support for both SQL-based databases and Google BigQuery (GBQ). Choose the deployment approach that best aligns with your infrastructure and scalability needs:
Deploying the SQL Authorizer via Helm Chart
The Helm chart allows for streamlined deployment of the SQL Authorizer into your Kubernetes environment. It supports configuration for PostgreSQL, SQL Server, and GBQ, with optional caching and database connectivity for enhanced functionality such as SELECT *
resolution and masking based on column types.
To download the Helm Chart
- Open the PlainID Platform.
- Open your Tenant or Environment Settings.
- Tenant Settings: Cick on the Settings icon next to your Tenant Name on the top right.
- Environment Settings: Click on the three dots next to your Environment name.
- Click Policy Authorization Agents.
- Click the Download dropdown and select Helm.
- Open the Helm Chart from your Downloads folder.
values.yaml Configuration
Below is a breakdown of key configuration fields in the values.yaml
file.
Response Mapping
response:
translation:
attributes:
projectId: "projectId" # BigQuery only – attribute name for the project ID
dataset: "dataset" # BigQuery only – attribute name for the dataset
column: "column" # All DBs – attribute name for the column
table: "table" # All DBs – attribute name for the table
columns:
resource:
type: "columns" # Resource type for column-level filtering (default: "columns")
Star Resolution and Database Configuration
star:
resolution:
enabled: false # Enables/disables resolution of SELECT * into actual column names
host: "YOUR_SQL_SERVER_ADDRESS" # Required for PostgreSQL/SQL Server
user: "YOUR_SQL_SERVER_USER"
password: "YOUR_SQL_SERVER_PASSWORD"
port: "YOUR_SQL_SERVER_PORT"
default: "YOUR_SQL_SERVER_DEFAULT_DATABASE"
tls:
enabled: false # Enables/disables TLS for DB connections
credentialFiles:
- "YOUR_BIGQUERY_CREDENTIAL_FILE_0" # Required for GBQ
defaultProjectId: "YOUR_BIGQUERY_DEFAULT_PROJECT_ID"
defaultDataset: "YOUR_BIGQUERY_DEFAULT_DATASET"
Redis Caching
To improve performance and reduce latency, the PAA uses Redis-based caching for faster policy evaluation and reduced load on connected data sources.
Caching is particularly effective in high-throughput environments or when database access adds latency. By reusing previously computed results, the PAA avoids redundant processing for repeated requests.
Cache Type | Description |
---|---|
runtime |
Stores PDP (Policy Decision Point) responses to speed up repeated authorization decisions. |
tableSchema |
Stores database table schemas when DB access is enabled, reducing source load and improving query performance. |
Redis Deployment Options
Each cache type uses specific Redis key prefixes to separate cached data. You can configure Redis in one of the following ways:
-
Managed Redis (Recommended for Production)
Use an external Redis service (e.g., AWS ElastiCache, Azure Redis).
Update the Redis section invalues-custom.yaml
and point theauthz
configuration to the managed Redis endpoint. -
PAA Redis (Bundled with Helm Chart)
Use the Redis instance installed with the chart.
Ensure theauthz
service is configured to connect to the bundled Redis. -
Sidecar Redis (For Local or Custom Use)
Run Redis as a sidecar container in the same pod.
Add Redis underextraContainers
invalues.yaml
, and pointauthz
tolocalhost
.Sample Configuration
Below is a sample configuration for connecting to an external Redis instance using the externalRedis
section in your values-custom.yaml
file. For full parameter details, see the Sample values.yaml file.
externalRedis:
host: "" # Redis server hostname or IP
port: 6379 # Redis port (default: 6379)
username: "" # Optional: Redis ACL user
password: "" # Redis password (ignored if using existingSecret)
existingSecret: "" # Optional: Name of secret containing Redis credentials
existingSecretKeyName: "redis-password" # Key inside the secret with password
tls: false # Enable if using TLS to connect to Redis
If using an existing Kubernetes secret for Redis credentials,
externalRedis.password
is ignored.
Deployment Examples
With DB Connectivity and Caching (Recommended for Production)
This example enables star resolution, Redis caching, and BigQuery access:
config:
database:
driver: "bigquery"
star:
resolution:
enabled: true
credentialFiles:
- /app/plainid-presales-142815.json
defaultProjectId: 'plainid-142815'
defaultDataset: 'bq2'
redis:
enabled: true
host: "127.0.0.1"
port: "6379"
password: ""
db: "0"
caching:
runtime:
type: "redis"
prefix: "sql-authz:v1:pdp"
ttl: "5m"
tableSchema:
type: "redis"
prefix: "sql-authz:v1:tableSchema"
ttl: "3h"
Without DB Connectivity and Caching (Basic Setup)
This minimal setup disables star resolution and caching but allows BigQuery access:
config:
database:
driver: "bigquery"
star:
resolution:
enabled: false
credentialFiles:
- /app/plainid-presales-142815.json
defaultProjectId: 'plainid-142815'
defaultDataset: 'bq2'
tls:
enabled: false
redis:
enabled: false
BigQuery Credential Example
To access BigQuery securely, the SQL Authorizer requires a service account credential file provided by Google Cloud IAM. This file contains the necessary authentication details that allow the Authorizer to act on behalf of a service account when querying BigQuery.
The file must be in standard Google Cloud service account JSON format, and it is referenced in the configuration (e.g., in values.yaml
, environment variables, or Docker volume mounts) using the credentialFiles
setting.
The Authorizer uses these credentials to authenticate API requests to BigQuery and perform operations such as column inspection, star expansion (
SELECT *
), and type resolution—only if DB connectivity is enabled.
Valid BigQuery credential file example:
{
"type": "service_account",
"project_id": "your-project-id",
"private_key_id": "your-private-key-id",
"private_key": "-----BEGIN PRIVATE KEY-----\nYOUR-DUMMY-PRIVATE-KEY\n-----END PRIVATE KEY-----\n",
"client_email": "service-account@your-project-id.iam.gserviceaccount.com",
"client_id": "123456789012345678901",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/service-account%40your-project-id.iam.gserviceaccount.com"
}
⚠️ Important: Ensure this credential file is securely stored and correctly referenced in your deployment configuration. Avoid committing it to version control systems.
Helm Commands
To install or upgrade the Authorizer using Helm:
# Add the Helm repo (if applicable)
helm repo add plainid https://your-helm-repo-url/
# Install the Authorizer
helm install sql-authorizer plainid/sql-authorizer -f values.yaml
# Or upgrade an existing release
helm upgrade sql-authorizer plainid/sql-authorizer -f values.yaml
Deploying the SQL Authorizer via Docker
The SQL Authorizer can be deployed as a lightweight, standalone Docker container. This method is ideal for environments that do not use Kubernetes or for local testing and development. Configuration is managed through environment variables, allowing easy integration with various SQL databases and Google BigQuery. The container connects to the PlainID Runtime service to enforce fine-grained access control on SQL queries.
Make sure to obtain the necessary credentials from the PlainID team. These are required to pull the Docker image and configure access to your Policy Runtime service and data sources.
Running the the Authorizer Service
- Launch the service within a Docker container.
- Define the PDP (Policy Decision Point) Runtime endpoint. This determines which Runtime service the Authorizer connects to for enforcement.
Environment Variables for the Docker Container
Variable | Description | MSSQL Default | PostgreSQL Default | Default |
---|---|---|---|---|
RUNTIME_URL |
Runtime service URL | |||
HTTP_PORT |
Port the service listens on | 8080 | 8080 | |
DB_USER |
Database user | sa | postgres | |
DB_PWD |
Database password | |||
DB_HOST |
Database host | |||
DB_PORT |
Database port | 1433 | 5432 | |
DB_DEFAULT |
Default database name | |||
DB_DRIVER |
Supported values: sqlserver , postgres , bigquery |
sqlserver | postgres | |
DB_ENABLED |
Enables DB connectivity for star expansion and masking | true | ||
COLUMN_ATTR |
Attribute name for the column (as received from PDP) | column | column | |
TABLE_ATTR |
Attribute name for the table (as received from PDP) | table | table | |
COLUMNS_RESOURCE_TYPE |
Resource type name for column access (as modeled in Policies) | columns | ||
MASKING_ALPHANUMERIC |
Value used for masked alphanumeric (character) fields | **** | **** | |
MASKING_NUMERIC |
Value used for masked numeric fields | 0 | 0 | |
MASKING_DATE |
Value used for masked date fields | 00/00/0000 | 00/00/0000 | |
MASKING_NULL |
Value used when data is masked and type is unknown | NULL | NULL | |
MASKING_SUPPORTED_FUNCTIONS |
Comma-separated list of allowed masking function names | |||
MASKING_CONDITIONAL_ACTIONS |
Comma-separated list of conditional masking action types | |||
MASKING_DEFAULT_MASK_AS_STRING |
If true , use string mask instead of NULL for unknown types |
false | false | false |
MASKING_DEFAULT_STRING_MASKING |
Default string mask value used when MASKING_DEFAULT_MASK_AS_STRING is enabled |
xxxx | xxxx | xxxx |
JWT_PASSTHROUGH_MAPPED_HEADER |
JWT header name to pass through to the Runtime | Authorization |
Example Docker Command
docker run -d -t -i \
-e RUNTIME_URL=http://policy-runtime.plainid-pdp/api/runtime/resolution/v3 \
-e HTTP_PORT=8080 \
-e DB_USER=sa \
-e DB_PWD=XXXXX \
-e DB_HOST=YOUR_MSSQL_SERVER \
-e DB_PORT=1433 \
-e DB_DEFAULT=testdb \
-e DB_ENABLED=true \
-e DB_DRIVER=sqlserver \
-e LOGGING_ROOT_LEVEL=trace \
-p 8080:8080 \
--name consolidated-sql-authorizer \
registry.plainid.io/sql-authorizer:latest