aaasvc

command module

v0.0.0-...-6c3212e Latest Latest Go to latest Published: Mar 6, 2024 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/choria-io/aaasvc

Links

Open Source Insights

README ¶

Overview

Choria is traditionally a loosely coupled system with very few central components. When a user makes a RPC request the request has a public certificate attached and every single node they interact with does RBAC.

That default deployment method has no dependencies per request and scales very well but it can be difficult to manage, rotate and audit who has access credentials. This package provides a system that issues short-lived JWT tokens and authorize and audit each request centrally prior to communicating with any fleet nodes.

The main motivation is to avoid the problems caused by having to do Certificate Management and Fleet wide static Action Policies for every user, instead you have a central login and central authority who does AAA for every request. This is more appropriate to the typical Enterprise environment.

With this deployed the workflow becomes:

$ choria ping
FATA[0000] Could not run Choria: could not perform request: error from remote signer: Request denied

$ mco login
Username (rip):
Password:
Token saved to /home/user/.choria/client.jwt

$ choria ping
...
---- ping statistics ----
19 replies max: 161.60 min: 131.23 avg: 151.21

The token is valid for a configurable period after which time another choria login will be required. Users are able to perform only the actions that they are entitled. Users have no SSL certificates of their own - a system-wide certificate might be needed to connect to middleware if configured to require TLS.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
api
gen/models
gen/restapi Package restapi Choria Central Signing Service	Package restapi Choria Central Signing Service
gen/restapi/operations
auditors
jetstream Package jetstream implements a auditor that publishes audit logs to NATS JetStream	Package jetstream implements a auditor that publishes audit logs to NATS JetStream
logfile Package logfile is a auditor that simply logs to a file	Package logfile is a auditor that simply logs to a file
notification
authenticators
userlist Package userlist provide a static configuration based authentication system	Package userlist provide a static configuration based authentication system
authorizers
actionlist Package actionlist is a Authorizer that looks at specific claims in a JWT token and allow requests based on the approved list of actions.	Package actionlist is a Authorizer that looks at specific claims in a JWT token and allow requests based on the approved list of actions.
opa Package opa is a Authorizer that reads Open Policy Agent Rego policies from a `opa_policy` claim in a JWT token and allow requests based on evaluation of the policy	Package opa is a Authorizer that reads Open Policy Agent Rego policies from a `opa_policy` claim in a JWT token and allow requests based on evaluation of the policy
cmd
config
service
signers
basicjwt Package basicjwt is a signer that parse a JWT token and approves requests based on the claims within it.	Package basicjwt is a signer that parse a JWT token and approves requests based on the claims within it.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL