fyrchik/frostfs-node
1
0
Fork 0
forked from TrueCloudLab/frostfs-node
Code Issues Pull requests Projects Releases Packages Wiki Activity

[#1104] docs: Add bearer token description to auth doc

Browse source 
This is about authentication only and eACL is deprecated, so only
mention `allow_impersonate` flag.

Signed-off-by: Evgenii Stratonikov <e.stratonikov@yadro.com>
This commit is contained in:
Evgenii Stratonikov 2024-04-23 14:12:37 +03:00
parent 6d4583f5de
commit 7bc3003803
3 changed files with 31 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
docs/authentication.md
View file

@ -35,7 +35,18 @@ The hash algorithm used is SHA-256
ECDSA public key corresponding to the private key being used to sign a message.
It is the primary user identity and is used to determine the request originator.
## Session token
## Tokens
Generally, the request owner, i.e. an account all access control checks are applied to
is taken from the request signature.
However, session and bearer tokens can alter authentication process by making "effective" request owner differ from the actual one.
The general scheme is given by the following picture:
![Token processing](images/authentication/impersonate.svg)
It is important to note, that the token is only valid when the request signature corresponds to the actor token is issued to.
### Session token
Session token can override the rules of determining request owner.
It is defined in the [frostfs-api](https://git.frostfs.info/TrueCloudLab/frostfs-api/src/branch/master/session/types.proto#L89).
@ -50,7 +61,9 @@ Session token may have some restrictions:
2. Set of operations it applies to.
3. The entity it is given to. This is provided in `session_key` field containing the public key.
## Bearer token
### Bearer token
Bearer token is generally used for access control but can also affect authentication if `allow_impersonate` flag is set. With this flag it behaves similarly to session token.
## FrostFS ID

15
docs/images/authentication/impersonate.puml Normal file
View file

@ -0,0 +1,15 @@
@startuml impersonate
start
if (The request has bearer token with allow_impersonate=true?) then (yes)
:Treat bearer token issuer as the request owner.;
end
(no) elseif (The request has session token?) then (yes)
:Treat session token issuer as the request owner.;
end
else (no)
:Determine request owner from the request signature.;
end
endif
@enduml

1
docs/images/authentication/impersonate.svg Normal file
View file

File diff suppressed because one or more lines are too long
Side by side

After

Width:  |  Height:  |  Size: 5.5 KiB