nano-run/_docs/authorization.md

117 lines
2.7 KiB
Markdown
Raw Normal View History

2020-09-10 10:11:34 +00:00
# Authorization
By-default - authorization disabled. Multiple policies allowed.
To allow request at least one policy should be passed.
Each authorization policy can enabled by `enable: yes` param.
Section in `server.yaml`: `authorization`
## JWT
*section: `authorization.jwt`*
[Overview](https://jwt.io/)
HMAC 256 signature validation against secret key
Configurable parameters:
* `header` (optional, string, default: `Authorization`) - header that contains JWT
* `secret` (required, string) - secret key to validate signature
Example minimal unit config
```yaml
command: 'echo hello world'
authorization:
jwt:
enable: yes
secret: '$eCrEtKey'
```
## Query token
*section: `authorization.query_token`*
Plain token in a query string. Will be matched against list of allowed tokens.
For example, client can invoke endpoint by addition token query: `http://example.com/app/?token=deadbeaf`
Configurable parameters:
* `param` (optional, string, default: `token`) - query param where token should be placed
* `tokens` (required, []string) - list of allowed tokens
Example minimal unit config with 3 tokens
```yaml
command: 'echo hello world'
authorization:
query_token:
enable: yes
tokens:
- my-token-1
- his-token-2
- deadbeaf
```
## Header token
*section: `authorization.header_token`*
Plain token in a header. Will be matched against list of allowed tokens.
For example, client can invoke endpoint by curl:
curl -H 'X-Api-Token: deadbeaf' http://example.com/app/
Configurable parameters:
* `header` (optional, string, default: `X-Api-Token`) - header name where token should be placed
* `tokens` (required, []string) - list of allowed tokens
Example minimal unit config with 3 tokens
```yaml
command: 'echo hello world'
authorization:
header_token:
enable: yes
tokens:
- my-token-1
- his-token-2
- deadbeaf
```
## Basic
*section: `authorization.basic`*
Basic authentication. [Overview](https://en.wikipedia.org/wiki/Basic_access_authentication)
For example, client can invoke endpoint by curl:
curl -u 'alice:admin' http://example.com/app/
To [calculate](https://unix.stackexchange.com/a/419855) hash you may use `htpasswd` (Debian/Ubuntu: `sudo apt install apache2-utils`)
htpasswd -bnBC 10 "" password | tr -d ':'
where `passsword` is a desired password for the user.
Configurable parameters:
* `users` (string->string, required) - map of users and their hashed password by bcrypt
Example minimal config:
```yaml
command: 'echo hello world'
authorization:
basic:
enable: yes
users:
alice: '$2y$10$cUe3n8NHaxee.AaGzT8wF.nirPnjv5YLEQGTsLiiMiUAknM2aF2FS'
bob: '$2y$10$iSczi.MlKTrMv3h0Zf.GDeW1NS6ZWxBgtj4ytrKKDrR2s2wIxq5Qa'
```