117 lines
2.7 KiB
Markdown
117 lines
2.7 KiB
Markdown
# Authorization
|
|
|
|
By-default - authorization disabled. Multiple policies allowed.
|
|
To allow request at least one policy should be passed.
|
|
Each authorization policy can enabled by `enable: yes` param.
|
|
|
|
Section in `server.yaml`: `authorization`
|
|
|
|
## JWT
|
|
|
|
*section: `authorization.jwt`*
|
|
|
|
[Overview](https://jwt.io/)
|
|
|
|
HMAC 256 signature validation against secret key
|
|
|
|
Configurable parameters:
|
|
|
|
* `header` (optional, string, default: `Authorization`) - header that contains JWT
|
|
* `secret` (required, string) - secret key to validate signature
|
|
|
|
Example minimal unit config
|
|
|
|
```yaml
|
|
command: 'echo hello world'
|
|
authorization:
|
|
jwt:
|
|
enable: yes
|
|
secret: '$eCrEtKey'
|
|
```
|
|
|
|
## Query token
|
|
|
|
*section: `authorization.query_token`*
|
|
|
|
Plain token in a query string. Will be matched against list of allowed tokens.
|
|
|
|
For example, client can invoke endpoint by addition token query: `http://example.com/app/?token=deadbeaf`
|
|
|
|
Configurable parameters:
|
|
|
|
* `param` (optional, string, default: `token`) - query param where token should be placed
|
|
* `tokens` (required, []string) - list of allowed tokens
|
|
|
|
Example minimal unit config with 3 tokens
|
|
|
|
```yaml
|
|
command: 'echo hello world'
|
|
authorization:
|
|
query_token:
|
|
enable: yes
|
|
tokens:
|
|
- my-token-1
|
|
- his-token-2
|
|
- deadbeaf
|
|
```
|
|
|
|
## Header token
|
|
|
|
*section: `authorization.header_token`*
|
|
|
|
Plain token in a header. Will be matched against list of allowed tokens.
|
|
|
|
For example, client can invoke endpoint by curl:
|
|
|
|
curl -H 'X-Api-Token: deadbeaf' http://example.com/app/
|
|
|
|
Configurable parameters:
|
|
|
|
* `header` (optional, string, default: `X-Api-Token`) - header name where token should be placed
|
|
* `tokens` (required, []string) - list of allowed tokens
|
|
|
|
Example minimal unit config with 3 tokens
|
|
|
|
```yaml
|
|
command: 'echo hello world'
|
|
authorization:
|
|
header_token:
|
|
enable: yes
|
|
tokens:
|
|
- my-token-1
|
|
- his-token-2
|
|
- deadbeaf
|
|
```
|
|
|
|
## Basic
|
|
|
|
*section: `authorization.basic`*
|
|
|
|
Basic authentication. [Overview](https://en.wikipedia.org/wiki/Basic_access_authentication)
|
|
|
|
For example, client can invoke endpoint by curl:
|
|
|
|
curl -u 'alice:admin' http://example.com/app/
|
|
|
|
To [calculate](https://unix.stackexchange.com/a/419855) hash you may use `htpasswd` (Debian/Ubuntu: `sudo apt install apache2-utils`)
|
|
|
|
htpasswd -bnBC 10 "" password | tr -d ':'
|
|
|
|
where `passsword` is a desired password for the user.
|
|
|
|
Configurable parameters:
|
|
|
|
* `users` (string->string, required) - map of users and their hashed password by bcrypt
|
|
|
|
Example minimal config:
|
|
|
|
```yaml
|
|
command: 'echo hello world'
|
|
authorization:
|
|
basic:
|
|
enable: yes
|
|
users:
|
|
alice: '$2y$10$cUe3n8NHaxee.AaGzT8wF.nirPnjv5YLEQGTsLiiMiUAknM2aF2FS'
|
|
bob: '$2y$10$iSczi.MlKTrMv3h0Zf.GDeW1NS6ZWxBgtj4ytrKKDrR2s2wIxq5Qa'
|
|
```
|