This component handles user management and prevents arbitrary users to access processors they shouldn't. It works by granting access-tokens, which users can include into their event-headers to reach processors with restricted access. To get this token, you need to publish an event with the topic "authenticator::login" and your credentials as payload. As response you will get an access token.
The authenticator will setup "guard"-processors for all permissions which are setup and maintained by using the events "authenticator::permissions::(add|delete|get)". Now, if a user publishes an event, the guard-processor handles the event as the first and checks if an access-token is provided in the event-header, and if the token is associated with a user which has the required role to access the guarded processor. Then the event is simply passed back to the susi-core and the guarded processors will proceed processing the event.
If no previous configuration has been done, the following default config will be added:
- user: "root"
- password: "toor"
- role: "admin"
- permissions: "authenticator::(users|permissions)::(.*)" needs role "admin"
This event is used to obtain an access-token. You must specify your username and your password. As a response you get an access-token and a list of events that need the access-token. You should NOT send your access-token to other events, or they could be captured by another (evil) consumer. The events in this list are guarded by the authenticator. Therefore the authenticator takes care of removing the access-tokens, so they can not be observed by another consumer.
{
"topic":"authenticator::login",
"payload": {
"username": "test",
"password": "test"
}
}
{
"topic":"authenticator::login",
"payload": {
"token": "abcdefghijklmnopqrstuvwxyz",
"topics": ["guarded-topic-1","guarded-topic-2"]
}
}
If you are logged in, you must logout at the end of your session, in order to cleanup things. Simply publish an event "authenticator::logout" with your access-token as header.
{
"topic":"authenticator::logout",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
]
}
{
"topic":"authenticator::logout",
"payload": true
}
If you want to add a new user, publish an event with the topic "authenticator::users::add" and specify the user as shown below.
{
"topic":"authenticator::users::add",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
],
"payload": {
"username": "test",
"password": "test",
"roles": ["role1","role2"]
}
}
{
"topic":"authenticator::users::add",
"payload": true
}
If you want to delete a new user, publish an event with the topic "authenticator::users::delete" and specify the user by name.
{
"topic":"authenticator::users::delete",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
],
"payload": {
"username": "test",
}
}
{
"topic":"authenticator::users::delete",
"payload": true
}
Get a list of all users and their roles.
{
"topic":"authenticator::users::get",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
]
}
{
"topic":"authenticator::users::get",
"payload": [
{
"username": "root",
"roles": ["admin"]
},{
"username": "test",
"roles": ["role1", "role2"]
}
]
}
If you want to add a new permission, publish an event with the topic "authenticator::permissions::add" and specify what to guard, and who can pass. To specify what, you must provide a pattern. This pattern is basically the json representation of an event with topic and payload. As usual you can specify the topic as regular expression which is then matched, but you can also specify parts of the payload, which must exist within the event in question. Strings in the pattern payload can also be regular expressions.
As a result, you will get an id for this permission.
As an example, the sample request will guard the events with the topics "guarded-topic-1", "guarded-topic-2" and "guarded-topic-3", but only if the payload contains the field "key" with one of the values "sample-value-a", "sample-value-b" or "sample-value-c".
With this approach you can for example disallow users from reading arbitrary values from one of the susi-states components (statefile or leveldb) without disallowing every use of this components.
{
"topic":"authenticator::permissions::add",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
],
"payload": {
"pattern": {
"topic": "guarded-topic-(1|2|3)",
"payload": {
"key": "sample-value-(a|b|c)"
}
},
"roles": ["role1","role2"]
}
}
{
"topic":"authenticator::permissions::add",
"payload": {
"id": "abcdefg123"
}
}
If you want to delete a permission, publish an event with the topic "authenticator::permissions::delete" and specify the id of the permission. You get this id when you register the permission, or from the permission list obtained via "authenticator::permissions::get".
{
"topic":"authenticator::permissions::delete",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
],
"payload": {
"id": "abcdefg123",
}
}
{
"topic":"authenticator::permissions::delete",
"payload": true
}
If you want to get a list of all permissions, use this event.
{
"topic":"authenticator::permissions::get",
"headers": [
{"User-Token":"abcdefghijklmnopqrstuvwxyz"}
]
}
{
"topic":"authenticator::permissions::get",
"payload": {
"abcdefg123": {
"pattern": {
"topic": "guarded-topic",
"payload": {
"sample-key": "sample-value"
}
},
"roles": ["role1","role2"]
}
}
}