TrueCloudLab/frostfs-node
19
1
Fork 27
Code Issues 91 Pull requests 8 Projects Releases 1 Activity Actions

[#1104] docs: Add bearer token description to auth doc
All checks were successful
Build / Build Components (1.21) (pull_request) Successful in 8m37s
Details
DCO action / DCO (pull_request) Successful in 8m26s
Details
Vulncheck / Vulncheck (pull_request) Successful in 8m24s
Details
Build / Build Components (1.22) (pull_request) Successful in 13m3s
Details
Tests and linters / gopls check (pull_request) Successful in 13m3s
Details
Tests and linters / Staticcheck (pull_request) Successful in 14m26s
Details
Tests and linters / Lint (pull_request) Successful in 15m9s
Details
Tests and linters / Tests with -race (pull_request) Successful in 16m50s
Details
Tests and linters / Tests (1.21) (pull_request) Successful in 17m5s
Details
Tests and linters / Tests (1.22) (pull_request) Successful in 17m8s
Details

Browse source 
This is about authentication only and eACL is deprecated, so only
mention `allow_impersonate` flag.

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
This commit is contained in:
Evgenii Stratonikov 2024-04-23 14:12:37 +03:00
parent 6d4583f5de
commit 7bc3003803
3 changed files with 31 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs/authentication.md
View file

@ -35,7 +35,18 @@ The hash algorithm used is SHA-256
ECDSA public key corresponding to the private key being used to sign a message. ECDSA public key corresponding to the private key being used to sign a message.
It is the primary user identity and is used to determine the request originator. It is the primary user identity and is used to determine the request originator.
## Session token ## Tokens
Generally, the request owner, i.e. an account all access control checks are applied to
is taken from the request signature.
However, session and bearer tokens can alter authentication process by making "effective" request owner differ from the actual one.
The general scheme is given by the following picture:
![Token processing](images/authentication/impersonate.svg)
It is important to note, that the token is only valid when the request signature corresponds to the actor token is issued to.
### Session token
Session token can override the rules of determining request owner. Session token can override the rules of determining request owner.
It is defined in the [frostfs-api](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/branch/master/session/types.proto#L89). It is defined in the [frostfs-api](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/branch/master/session/types.proto#L89).
@ -50,7 +61,9 @@ Session token may have some restrictions:
2. Set of operations it applies to. 2. Set of operations it applies to.
3. The entity it is given to. This is provided in `session_key` field containing the public key. 3. The entity it is given to. This is provided in `session_key` field containing the public key.
## Bearer token ### Bearer token
Bearer token is generally used for access control but can also affect authentication if `allow_impersonate` flag is set. With this flag it behaves similarly to session token.
## FrostFS ID ## FrostFS ID

15
docs/images/authentication/impersonate.puml Normal file
View file

@ -0,0 +1,15 @@
@startuml impersonate
start
if (The request has bearer token with allow_impersonate=true?) then (yes)
:Treat bearer token issuer as the request owner.;
end
(no) elseif (The request has session token?) then (yes)
:Treat session token issuer as the request owner.;
end
else (no)
:Determine request owner from the request signature.;
end
endif
@enduml

1
docs/images/authentication/impersonate.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 5.5 KiB