forked from TrueCloudLab/frostfs-node
[#1104] docs: Add bearer token description to auth doc
This is about authentication only and eACL is deprecated, so only mention `allow_impersonate` flag. Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
This commit is contained in:
parent
6d4583f5de
commit
7bc3003803
3 changed files with 31 additions and 2 deletions
|
@ -35,7 +35,18 @@ The hash algorithm used is SHA-256
|
|||
ECDSA public key corresponding to the private key being used to sign a message.
|
||||
It is the primary user identity and is used to determine the request originator.
|
||||
|
||||
## Session token
|
||||
## Tokens
|
||||
|
||||
Generally, the request owner, i.e. an account all access control checks are applied to
|
||||
is taken from the request signature.
|
||||
However, session and bearer tokens can alter authentication process by making "effective" request owner differ from the actual one.
|
||||
The general scheme is given by the following picture:
|
||||
|
||||
![Token processing](images/authentication/impersonate.svg)
|
||||
|
||||
It is important to note, that the token is only valid when the request signature corresponds to the actor token is issued to.
|
||||
|
||||
### Session token
|
||||
|
||||
Session token can override the rules of determining request owner.
|
||||
It is defined in the [frostfs-api](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/branch/master/session/types.proto#L89).
|
||||
|
@ -50,7 +61,9 @@ Session token may have some restrictions:
|
|||
2. Set of operations it applies to.
|
||||
3. The entity it is given to. This is provided in `session_key` field containing the public key.
|
||||
|
||||
## Bearer token
|
||||
### Bearer token
|
||||
|
||||
Bearer token is generally used for access control but can also affect authentication if `allow_impersonate` flag is set. With this flag it behaves similarly to session token.
|
||||
|
||||
## FrostFS ID
|
||||
|
||||
|
|
15
docs/images/authentication/impersonate.puml
Normal file
15
docs/images/authentication/impersonate.puml
Normal file
|
@ -0,0 +1,15 @@
|
|||
@startuml impersonate
|
||||
start
|
||||
|
||||
if (The request has bearer token with allow_impersonate=true?) then (yes)
|
||||
:Treat bearer token issuer as the request owner.;
|
||||
end
|
||||
(no) elseif (The request has session token?) then (yes)
|
||||
:Treat session token issuer as the request owner.;
|
||||
end
|
||||
else (no)
|
||||
:Determine request owner from the request signature.;
|
||||
end
|
||||
endif
|
||||
|
||||
@enduml
|
1
docs/images/authentication/impersonate.svg
Normal file
1
docs/images/authentication/impersonate.svg
Normal file
File diff suppressed because one or more lines are too long
After Width: | Height: | Size: 5.5 KiB |
Loading…
Reference in a new issue