README
¶
Hologram Server
The Hologram Server manages AWS credentials for a team of developers, allocating temporary credentials using AWS STS to developers on request. It is designed to work with the Hologram Agent, responding to authenticated requests for credentials with fresh or cached credentials from AWS.
protobuf server
Hologram accepts TCP connections on port 3100, receiving and responding to messages using a Protocol Buffers-based format.
LDAP
Hologram supports a pluggable authentication and authorization mechanism, and the default implementation avialable is LDAP. Users authenticate to Hologram using an SSH key challenge, and Hologram looks up the SSH public keys to use in LDAP.
AWS client
AWS STS is used to generate temporary credentials.
logging
All authentications, whether successful or not, can be logged to Amazon SimpleDB to provide an audit trail.
Documentation
¶
Overview ¶
Package server implements the connection-oriented state machine for the Hologram centralised server.
Index ¶
- func BuildARN(role string, defaultAccount string, accountAliases *map[string]string) string
- func New(userCache UserCache, credentials CredentialService, defaultRole string, ...) *server
- func NewDirectSessionTokenService(iamAccount string, sts *sts.STS, accountAliases *map[string]string) *directSessionTokenService
- func NewLDAPUserCache(server LDAPImplementation, stats g2s.Statter, userAttr string, baseDN string, ...) (*ldapUserCache, error)
- type Authenticator
- type CredentialService
- type Group
- type LDAPImplementation
- type STSImplementation
- type User
- type UserCache
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func New ¶
func New(userCache UserCache, credentials CredentialService, defaultRole string, stats g2s.Statter, ldapServer LDAPImplementation, userAttr string, baseDN string, enableLDAPRoles bool, defaultRoleAttr string, pubKeysAttr string, roleTimeoutAttr string) *server
New returns a server that can be used as a handler for a MessageConnection loop.
func NewDirectSessionTokenService ¶
func NewDirectSessionTokenService(iamAccount string, sts *sts.STS, accountAliases *map[string]string) *directSessionTokenService
NewDirectSessionTokenService returns a credential service that talks to Amazon directly.
func NewLDAPUserCache ¶
func NewLDAPUserCache(server LDAPImplementation, stats g2s.Statter, userAttr string, baseDN string, enableLDAPRoles bool, roleAttribute string, defaultRole string, defaultRoleAttr string, groupClassAttr string, pubKeysAttr string, roleTimeoutAttr string) (*ldapUserCache, error)
NewLDAPUserCache returns a properly-configured LDAP cache.
Types ¶
type Authenticator ¶
type CredentialService ¶
type CredentialService interface {
AssumeRole(user *User, role string, enableLDAPRoles bool) (*sts.Credentials, error)
GetSessionToken() (*sts.Credentials, error)
}
CredentialService implements workflows that return temporary credentials to calling processes. No caching is done of these results other than that which the CredentialService does itself.
type LDAPImplementation ¶
type LDAPImplementation interface {
Search(*ldap.SearchRequest) (*ldap.SearchResult, error)
Modify(*ldap.ModifyRequest) error
}
LDAPImplementation implementers provide access to LDAP servers for operations that Hologram uses. This interface exists for testing purposes.
func NewPersistentLDAP ¶
func NewPersistentLDAP(open func() (LDAPImplementation, error)) (LDAPImplementation, error)
type STSImplementation ¶
type STSImplementation interface {
AssumeRole(options *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error)
GetSessionToken(options *sts.GetSessionTokenInput) (*sts.GetSessionTokenOutput, error)
}
STSImplementation exists to enable dependency injection of an implementation of STS.
type UserCache ¶
type UserCache interface {
// They also need to implement the SSH key verification interface.
Authenticator
Update() error
}
UserCache implementers provide information about registered users.
Source Files