opentdf · jakedoublev · Sep 11, 2025 · Sep 11, 2025 · Sep 11, 2025 · Sep 12, 2025
@@ -51,10 +51,11 @@ services:
   #   enabled: true
   #   list_request_limit_default: 1000
   #   list_request_limit_max: 2500
-  # authorization:
-  #   entitlement_policy_cache:
-  #     enabled: false
-  #     refresh_interval: 30s
+  authorization:
+    plugin_pdps:
+      - name: 'granular-plugin-pdp'
+        resource_fqn_prefixes:
+          - 'https://reg_res/granular'
 server:
   public_hostname: localhost
   tls:

@@ -13,8 +13,10 @@
 	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
 	authzV2Connect "github.com/opentdf/platform/protocol/go/authorization/v2/authorizationv2connect"
 	otdf "github.com/opentdf/platform/sdk"
-	"github.com/opentdf/platform/service/internal/access/v2"
 	"github.com/opentdf/platform/service/logger"
+	"github.com/opentdf/platform/service/pkg/access"
+	"github.com/opentdf/platform/service/pkg/access/plugin"
+	policyStore "github.com/opentdf/platform/service/pkg/access/store"
 	"github.com/opentdf/platform/service/pkg/cache"
 	"github.com/opentdf/platform/service/pkg/serviceregistry"
 	"go.opentelemetry.io/otel"
@@ -29,6 +31,9 @@
 	logger *logger.Logger
 	trace.Tracer
 	cache *EntitlementPolicyCache
+	// Config drives names and attribute prefixes of the enabled plugin PDPs.
+	// Any pluginPDPs available but not specified within config are disabled.
+	configuredPluginPDPs []plugin.PolicyDecisionPointConfig
 }
 
 func NewRegistration() *serviceregistry.Service[authzV2Connect.AuthorizationServiceHandler] {
@@ -73,6 +78,24 @@
 				}
 				l.Debug("authorization service config", slog.Any("config", authZCfg.LogValue()))
 
+				// If supportedregistered plugin PDPs have a name matching auth service config,
+				// mount the interface along with its config to the auth service struct.
+				for _, pluginPDP := range srp.RegisteredPluginPDPs {
+					for _, configuredPDP := range authZCfg.PluginPDPs {
+						l.Debug("plugin name", slog.String("name", pluginPDP.Name()), slog.String("configured name", configuredPDP.Name))
+						if configuredPDP.Name == pluginPDP.Name() {
+							l.Debug("registering plugin PDP",
+								slog.String("name", pluginPDP.Name()),
+							)
+							as.configuredPluginPDPs = append(as.configuredPluginPDPs, plugin.PolicyDecisionPointConfig{
+								PolicyDecisionPointI: pluginPDP,
+								AttributePrefixes:    configuredPDP.AttributePrefixes,
+								Name:                 configuredPDP.Name,
+							})
+						}
+					}
+				}
+
 				if !authZCfg.Cache.Enabled {
 					l.Debug("entitlement policy cache is disabled")
 					return as, nil
@@ -90,7 +113,7 @@
 					panic(fmt.Errorf("failed to parse entitlement policy cache refresh interval [%s]: %w", authZCfg.Cache.RefreshInterval, err))
 				}
 
-				retriever := access.NewEntitlementPolicyRetriever(as.sdk)
+				retriever := policyStore.NewEntitlementPolicyRetriever(as.sdk)
 				as.cache, err = NewEntitlementPolicyCache(context.Background(), l, retriever, cacheClient, refreshInterval)
 				if err != nil {
 					l.Error("failed to create entitlement policy cache", slog.Any("error", err))
@@ -136,7 +159,7 @@
 	withComprehensiveHierarchy := req.Msg.GetWithComprehensiveHierarchy()
 
 	// When authorization service can consume cached policy, switch to the other PDP (process based on policy passed in)
-	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk, as.cache)
+	pdp, err := access.NewJustInTimeAuthorizer(ctx, as.logger, as.sdk, as.cache, nil)
 	if err != nil {
 		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.Any("error", err))
 		return nil, connect.NewError(connect.CodeInternal, err)
@@ -166,7 +189,7 @@
 	propagator := otel.GetTextMapPropagator()
 	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
 
-	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk, as.cache)
+	pdp, err := access.NewJustInTimeAuthorizer(ctx, as.logger, as.sdk, as.cache, as.configuredPluginPDPs)
 	if err != nil {
 		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.Any("error", err))
 		return nil, connect.NewError(connect.CodeInternal, err)
@@ -204,7 +227,7 @@
 	propagator := otel.GetTextMapPropagator()
 	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
 
-	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk, as.cache)
+	pdp, err := access.NewJustInTimeAuthorizer(ctx, as.logger, as.sdk, as.cache, as.configuredPluginPDPs)
 	if err != nil {
 		return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to create JIT PDP"), err))
 	}
@@ -244,7 +267,7 @@
 	propagator := otel.GetTextMapPropagator()
 	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
 
-	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk, as.cache)
+	pdp, err := access.NewJustInTimeAuthorizer(ctx, as.logger, as.sdk, as.cache, as.configuredPluginPDPs)
 	if err != nil {
 		return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to create JIT PDP"), err))
 	}

@@ -10,7 +10,7 @@ import (
 	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
 	"github.com/opentdf/platform/protocol/go/entity"
 	"github.com/opentdf/platform/protocol/go/policy"
-	access "github.com/opentdf/platform/service/internal/access/v2"
+	access "github.com/opentdf/platform/service/pkg/access"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/proto"

@@ -8,8 +8,8 @@ import (
 	"time"
 
 	"github.com/opentdf/platform/protocol/go/policy"
-	"github.com/opentdf/platform/service/internal/access/v2"
 	"github.com/opentdf/platform/service/logger"
+	policyStore "github.com/opentdf/platform/service/pkg/access/store"
 	"github.com/opentdf/platform/service/pkg/cache"
 )
 
@@ -45,7 +45,7 @@ type EntitlementPolicyCache struct {
 	cacheClient *cache.Cache
 
 	// SDK-connected retriever to fetch fresh data from policy services
-	retriever *access.EntitlementPolicyRetriever
+	retriever *policyStore.EntitlementPolicyRetriever
 
 	// Refresh state
 	configuredRefreshInterval time.Duration
@@ -69,7 +69,7 @@ type EntitlementPolicy struct {
 func NewEntitlementPolicyCache(
 	ctx context.Context,
 	l *logger.Logger,
-	retriever *access.EntitlementPolicyRetriever,
+	retriever *policyStore.EntitlementPolicyRetriever,
 	cacheClient *cache.Cache,
 	cacheRefreshInterval time.Duration,
 ) (*EntitlementPolicyCache, error) {

@@ -4,6 +4,8 @@ import (
 	"fmt"
 	"log/slog"
 	"time"
+
+	"github.com/opentdf/platform/service/pkg/access/plugin"
 )
 
 // Manage config for EntitlementPolicyCache: attributes, subject mappings, and registered resources
@@ -14,7 +16,8 @@ type EntitlementPolicyCacheConfig struct {
 }
 
 type Config struct {
-	Cache EntitlementPolicyCacheConfig `mapstructure:"entitlement_policy_cache" json:"entitlement_policy_cache"`
+	Cache      EntitlementPolicyCacheConfig       `mapstructure:"entitlement_policy_cache" json:"entitlement_policy_cache"`
+	PluginPDPs []plugin.PolicyDecisionPointConfig `mapstructure:"plugin_pdps" json:"plugin_pdps"`
 }
 
 // Validate tests for a sensible configuration
@@ -51,5 +54,6 @@ func (c *Config) LogValue() slog.Value {
 				slog.String("refresh_interval", c.Cache.RefreshInterval),
 			),
 		),
+		slog.Any("plugin_pdps", c.PluginPDPs),
 	)
 }
@@ -7,8 +7,8 @@ import (
 
 	"connectrpc.com/connect"
 	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
-	"github.com/opentdf/platform/service/internal/access/v2"
 	"github.com/opentdf/platform/service/logger"
+	"github.com/opentdf/platform/service/pkg/access"
 )
 
 // rollupMultiResourceDecisions creates a standardized response for multi-resource decisions

@@ -5,7 +5,7 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/opentdf/platform/service/internal/subjectmappingbuiltin"
+	subjectmappingresolution "github.com/opentdf/platform/service/pkg/access/subject-mapping-resolution"
 )
 
 type DecisionResult int
@@ -47,7 +47,7 @@ type GetDecisionV2EventParams struct {
 	EntityID     string
 	ActionName   string
 	Decision     DecisionResult
-	Entitlements subjectmappingbuiltin.AttributeValueFQNsToActions
+	Entitlements subjectmappingresolution.AttributeValueFQNsToActions
 	// Allow ResourceDecisions to be typed by the caller as structure is in-flight
 	ResourceDecisions interface{}
 }
@@ -99,7 +99,7 @@ func CreateV2GetDecisionEvent(ctx context.Context, params GetDecisionV2EventPara
 
 	actorAttributes := []interface{}{
 		struct {
-			Entitlements subjectmappingbuiltin.AttributeValueFQNsToActions `json:"entitlements"`
+			Entitlements subjectmappingresolution.AttributeValueFQNsToActions `json:"entitlements"`
 		}{
 			Entitlements: params.Entitlements,
 		},

@@ -11,8 +11,8 @@ import (
 	authz "github.com/opentdf/platform/protocol/go/authorization/v2"
 	"github.com/opentdf/platform/protocol/go/policy"
 	attrs "github.com/opentdf/platform/protocol/go/policy/attributes"
-	"github.com/opentdf/platform/service/internal/subjectmappingbuiltin"
 	"github.com/opentdf/platform/service/logger"
+	subjectmappingresolution "github.com/opentdf/platform/service/pkg/access/subject-mapping-resolution"
 )
 
 var (
@@ -31,7 +31,7 @@ func getResourceDecision(
 	l *logger.Logger,
 	accessibleAttributeValues map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue,
 	accessibleRegisteredResourceValues map[string]*policy.RegisteredResourceValue,
-	entitlements subjectmappingbuiltin.AttributeValueFQNsToActions,
+	entitlements subjectmappingresolution.AttributeValueFQNsToActions,
 	action *policy.Action,
 	resource *authz.Resource,
 ) (*ResourceDecision, error) {
@@ -111,7 +111,7 @@ func evaluateResourceAttributeValues(
 	resourceID string,
 	resourceName string,
 	action *policy.Action,
-	entitlements subjectmappingbuiltin.AttributeValueFQNsToActions,
+	entitlements subjectmappingresolution.AttributeValueFQNsToActions,
 	accessibleAttributeValues map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue,
 ) (*ResourceDecision, error) {
 	// Group value FQNs by parent definition
@@ -164,7 +164,7 @@ func evaluateResourceAttributeValues(
 func evaluateDefinition(
 	ctx context.Context,
 	l *logger.Logger,
-	entitlements subjectmappingbuiltin.AttributeValueFQNsToActions,
+	entitlements subjectmappingresolution.AttributeValueFQNsToActions,
 	action *policy.Action,
 	resourceValueFQNs []string,
 	attrDefinition *policy.Attribute,
@@ -220,7 +220,7 @@ func evaluateDefinition(
 func allOfRule(
 	_ context.Context,
 	_ *logger.Logger,
-	entitlements subjectmappingbuiltin.AttributeValueFQNsToActions,
+	entitlements subjectmappingresolution.AttributeValueFQNsToActions,
 	action *policy.Action,
 	resourceValueFQNs []string,
 ) []EntitlementFailure {
@@ -260,7 +260,7 @@ func allOfRule(
 func anyOfRule(
 	_ context.Context,
 	_ *logger.Logger,
-	entitlements subjectmappingbuiltin.AttributeValueFQNsToActions,
+	entitlements subjectmappingresolution.AttributeValueFQNsToActions,
 	action *policy.Action,
 	resourceValueFQNs []string,
 ) []EntitlementFailure {
@@ -311,7 +311,7 @@ func anyOfRule(
 func hierarchyRule(
 	ctx context.Context,
 	l *logger.Logger,
-	entitlements subjectmappingbuiltin.AttributeValueFQNsToActions,
+	entitlements subjectmappingresolution.AttributeValueFQNsToActions,
 	action *policy.Action,
 	resourceValueFQNs []string,
 	attrDefinition *policy.Attribute,