ralsina
/
nano-run
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
nano-run/_docs/authorization.md

2.7 KiB
Raw Permalink Blame History

Authorization

By-default - authorization disabled. Multiple policies allowed. To allow request at least one policy should be passed. Each authorization policy can enabled by enable: yes param.

Section in server.yaml: authorization

JWT

section: authorization.jwt

Overview

HMAC 256 signature validation against secret key

Configurable parameters:

  • header (optional, string, default: Authorization) - header that contains JWT
  • secret (required, string) - secret key to validate signature

Example minimal unit config

command: 'echo hello world'
authorization:
    jwt:
      enable: yes
      secret: '$eCrEtKey'

Query token

section: authorization.query_token

Plain token in a query string. Will be matched against list of allowed tokens.

For example, client can invoke endpoint by addition token query: http://example.com/app/?token=deadbeaf

Configurable parameters:

  • param (optional, string, default: token) - query param where token should be placed
  • tokens (required, []string) - list of allowed tokens

Example minimal unit config with 3 tokens

command: 'echo hello world'
authorization:
    query_token:
      enable: yes
      tokens:
        - my-token-1
        - his-token-2
        - deadbeaf

Header token

section: authorization.header_token

Plain token in a header. Will be matched against list of allowed tokens.

For example, client can invoke endpoint by curl:

curl -H 'X-Api-Token: deadbeaf' http://example.com/app/

Configurable parameters:

  • header (optional, string, default: X-Api-Token) - header name where token should be placed
  • tokens (required, []string) - list of allowed tokens

Example minimal unit config with 3 tokens

command: 'echo hello world'
authorization:
    header_token:
      enable: yes
      tokens:
        - my-token-1
        - his-token-2
        - deadbeaf

Basic

section: authorization.basic

Basic authentication. Overview

For example, client can invoke endpoint by curl:

curl -u 'alice:admin' http://example.com/app/

To calculate hash you may use htpasswd (Debian/Ubuntu: sudo apt install apache2-utils)

htpasswd -bnBC 10 "" password | tr -d ':'

where passsword is a desired password for the user.

Configurable parameters:

  • users (string->string, required) - map of users and their hashed password by bcrypt

Example minimal config:

command: 'echo hello world'
authorization:
    basic:
      enable: yes
      users:
        alice: '$2y$10$cUe3n8NHaxee.AaGzT8wF.nirPnjv5YLEQGTsLiiMiUAknM2aF2FS'
        bob: '$2y$10$iSczi.MlKTrMv3h0Zf.GDeW1NS6ZWxBgtj4ytrKKDrR2s2wIxq5Qa'