Skip to content

Generate tokens to authorize and authenticate accounts with OpenStorage SDK

License

Notifications You must be signed in to change notification settings

libopenstorage/openstorage-sdk-auth

Repository files navigation

Build Status

OpenStorage SDK Auth

This repo houses the libraries and CLI to create Auth tokens for OpenStorage SDK.

For more information, please see OpenStorage SDK

Overview

This repo provides the command line program openstorage-sdk-auth and Golang package libraries for users and developers to create auth tokens for OpenStorage SDK.

Installation

A container will be available, but in the meantime you can do the following:

go install github.com/libopenstorage/openstorage-sdk-auth/cmd/openstorage-sdk-auth

Usage

To use, you will need to first decide which key type to use to sign the tokens. Although shared secrets are simple, we recommend using RSA256. In the tools/ directory you will find a simple script to generate private and public PEM files.

You will then need to create a claims file using the specification highlighted in this document. Here is an example of a claims file which defines the email, name, and authorization of the account:

name: Luis Pabon
sub: id/[email protected]
email: [email protected]
roles: ["system.user"]
groups: ["px-engineering", "kubernetes-csi"]

The yaml has the following structure:

  • email string: Email of the account accessing the SDK
  • sub string: Unique id of user. Could be the email or a UUID. If this is missing, the program will create an ID for the user based on the name and email.
  • name string: Name of the account accessing the SDK
  • roles string list: Roles of the account. This role must already be defined by the OpenStorage SDK server. The server has the following default roles:
    • system.admin: Access to all APIs
    • system.view: Access to read only APIs only
    • system.user: Access to volume lifecycle APIs only
  • groups string list: Groups which the user is part of. Setting the value of "*" for the group will enable the user of the token to access ALL resources.

You can then generate a token using openstorage-sdk-auth. In the example below, we generate a token with an expiration time of 30 days. We use the sample unsecure RSA pem files part of this repo to sign the token.

openstorage-sdk-auth \
  --auth-config=cmd/openstorage-sdk-auth/sample.yml \
  --rsa-private-keyfile=tools/rsa_sample_unsecure_private.pem \
  --token-duration=30d \
  --output=private.token

Custom Roles

The OpenStorage SDK server allows custom roles. Please see OpenStorageRole for more information. Once you create a role, you can add it to the token under roles.

About

Generate tokens to authorize and authenticate accounts with OpenStorage SDK

Resources

License

Stars

Watchers

Forks

Packages

No packages published