Documentation ¶
Overview ¶
Package cbauth provides auth{N,Z} for couchbase server services.
Index ¶
- Constants
- Variables
- func CipherOrder() bool
- func CipherSuites() []uint16
- func ExtractCredsGeneric(hdr httpreq.HttpHeader) (user string, pwd string, err error)
- func ExtractOnBehalfIdentityGeneric(hdr httpreq.HttpHeader) (user string, domain string, err error)
- func ForbiddenJSON(permission string) ([]byte, error)
- func GetClientCertAuthType() (tls.ClientAuthType, error)
- func GetHTTPServiceAuth(hostport string) (user, pwd string, err error)
- func GetMemcachedServiceAuth(hostport string) (user, pwd string, err error)
- func GetUserBuckets(user, domain string) ([]string, error)
- func GetUserUuid(user, domain string) (string, error)
- func InitExternal(service, mgmtHostPort, user, password string) error
- func InitExternalWithHeartbeat(service, mgmtHostPort, user, password string, ...) error
- func InternalRetryDefaultInit(mgmtHostPort, user, password string) (bool, error)
- func InternalRetryDefaultInitWithService(service, mgmtHostPort, user, password string) (bool, error)
- func MinTLSVersion() uint16
- func RegisterConfigRefreshCallback(callback ConfigRefreshCallback) error
- func RegisterTLSRefreshCallback(callback TLSRefreshCallback) error
- func SendForbidden(w http.ResponseWriter, permission string) error
- func SendUnauthorized(w http.ResponseWriter)
- func SetRequestAuth(req *http.Request) error
- func SetRequestAuthVia(req *http.Request, a Authenticator) error
- func SplitHostPort(hostport string) (host string, port int, err error)
- func WithAuthenticator(a Authenticator, body func(a Authenticator) error) error
- func WithDefault(body func(a Authenticator) error) error
- func WrapHTTPTransport(transport http.RoundTripper, a Authenticator) http.RoundTripper
- type AuthHandler
- type Authenticator
- type BaseAuthenticator
- type ClusterEncryptionConfig
- type ConfigRefreshCallback
- type Creds
- type DBStaleError
- type ExternalAuthenticator
- type GuardrailStatuses
- type TLSConfig
- type TLSRefreshCallback
- type UnknownHostPortError
Constants ¶
const ( CFG_CHANGE_CERTS_TLSCONFIG uint64 = 1 << iota CFG_CHANGE_CLUSTER_ENCRYPTION CFG_CHANGE_CLIENT_CERTS_TLSCONFIG CFG_CHANGE_GUARDRAIL_STATUSES )
The following constants are used as flags to indicate which configuration has changed. These flags are passed as an argument to 'ConfigRefreshcallback' function registered using the 'RegisterConfigRefreshCallback' API.
Variables ¶
var ErrNoAuth = cbauthimpl.ErrNoAuth
ErrNoAuth is an error that is returned when the user credentials are not recognized
var ErrNoUuid = cbauthimpl.ErrNoUuid
ErrNoUuid is an error that is returned when the uuid for user is empty
var ErrNotInitialized = errors.New("cbauth was not initialized")
ErrNotInitialized is used to signal that ns_server environment variables are not set, and thus Default authenticator is not configured for calls that use default authenticator.
Functions ¶
func CipherOrder ¶
func CipherOrder() bool
CipherOrder function is deprecated. Use cbauth.GetTLSConfig() instead
func CipherSuites ¶
func CipherSuites() []uint16
CipherSuites function is deprecated. Use cbauth.GetTLSConfig() instead
func ExtractCredsGeneric ¶ added in v0.1.9
func ExtractCredsGeneric(hdr httpreq.HttpHeader) (user string, pwd string, err error)
ExtractCredsGeneric extracts Basic auth creds from header.
func ExtractOnBehalfIdentityGeneric ¶ added in v0.1.9
func ExtractOnBehalfIdentityGeneric(hdr httpreq.HttpHeader) (user string, domain string, err error)
ExtractOnBehalfIdentityGeneric extracts 'on behalf' identity from header.
func ForbiddenJSON ¶
ForbiddenJSON returns json 403 response for given permission
func GetClientCertAuthType ¶
func GetClientCertAuthType() (tls.ClientAuthType, error)
GetClientCertAuthType returns TLS cert type
func GetHTTPServiceAuth ¶
GetHTTPServiceAuth returns user/password creds giving "admin" access to given http service inside couchbase cluster. Uses default authenticator.
func GetMemcachedServiceAuth ¶
GetMemcachedServiceAuth returns user/password creds given "admin" access to given memcached service. Uses default authenticator.
func GetUserBuckets ¶ added in v0.1.2
func GetUserUuid ¶ added in v0.1.1
func InitExternal ¶ added in v0.1.11
InitExternal should be used by external cbauth client to enable cbauth with limited functionality.
func InitExternalWithHeartbeat ¶ added in v0.1.11
func InitExternalWithHeartbeat(service, mgmtHostPort, user, password string, heartbeatInterval, heartbeatWait int) error
InitExternalWithHeartbeat should be used by external cbauth client to enable cbauth with limited functionality and enabling heartbeats. heartbeatInterval - interval in seconds at which heartbeats should be sent heartbeatWait - defines how many seconds we wait until declaring the database stale
func InternalRetryDefaultInit ¶
InternalRetryDefaultInit can be used by golang services that are willing to perform manual initialization of cbauth (i.e. for easier testing). This API is subject to change and should be used only if really needed. Returns false if Default Authenticator was already initialized.
func InternalRetryDefaultInitWithService ¶
func InternalRetryDefaultInitWithService(service, mgmtHostPort, user, password string) (bool, error)
InternalRetryDefaultInitWithService can be used by golang services that are willing to perform manual initialization of cbauth (i.e. for easier testing). This API is subject to change and should be used only if really needed. Returns false if Default Authenticator was already initialized.
func MinTLSVersion ¶
func MinTLSVersion() uint16
MinTLSVersion function is deprecated. Use cbauth.GetTLSConfig() instead
func RegisterConfigRefreshCallback ¶
func RegisterConfigRefreshCallback(callback ConfigRefreshCallback) error
func RegisterTLSRefreshCallback ¶
func RegisterTLSRefreshCallback(callback TLSRefreshCallback) error
RegisterTLSRefreshCallback registers a callback to be called when any field of TLS settings change. The callback is called in separate routine
func SendForbidden ¶
func SendForbidden(w http.ResponseWriter, permission string) error
SendForbidden sends 403 Forbidden with json payload that contains list of required permissions to response on given response writer.
func SendUnauthorized ¶
func SendUnauthorized(w http.ResponseWriter)
SendUnauthorized sends 401 Unauthorized response on given response writer.
func SetRequestAuth ¶
SetRequestAuth sets basic auth header in given http request according to default authenticator. Simply calls SetRequestAuthVia with nil authenticator.
func SetRequestAuthVia ¶
func SetRequestAuthVia(req *http.Request, a Authenticator) error
SetRequestAuthVia sets basic auth header in given http request according to given authenticator. It will extract target hostname/port from request and figure out right service credentials for that endpoint. If nil authenticator is passed, Default authenticator is used.
func SplitHostPort ¶
SplitHostPort separates hostport into string host and numeric port.
func WithAuthenticator ¶
func WithAuthenticator(a Authenticator, body func(a Authenticator) error) error
WithAuthenticator calls given body with either passed authenticator or default authenticator if `a' is nil. ErrNotInitialized is returned if a is nil and default authenticator is not configured.
func WithDefault ¶
func WithDefault(body func(a Authenticator) error) error
WithDefault calls given body with default authenticator. If default authenticator is not configured, it returns ErrNotInitialized.
func WrapHTTPTransport ¶
func WrapHTTPTransport(transport http.RoundTripper, a Authenticator) http.RoundTripper
WrapHTTPTransport constructs http transport that automatically does SetRequestAuthVia for requests it sends. As usual, if nil authenticator is passed, default authenticator is used.
Types ¶
type AuthHandler ¶
type AuthHandler struct { Bucket string A Authenticator }
AuthHandler is a type that implements go-couchbase AuthHandler, GenericMcdAuthHandler and HTTPAuthHandler interfaces. It integrate cbauth into go-couchbase.
func NewAuthHandler ¶
func NewAuthHandler(a Authenticator) *AuthHandler
NewAuthHandler returns AuthHandler instance that is using given authenticator instance to authenticate memcached connections for go-couchbase client. If given authenticator is nil, Default authenticator will be used during AuthenticateMemcachedConn calls.
func (*AuthHandler) AuthenticateMemcachedConn ¶
func (ah *AuthHandler) AuthenticateMemcachedConn(host string, conn *memcached.Client) error
AuthenticateMemcachedConn method grabs creds for given host destination and performs auth and select-bucket on given memcached.Client. It is called by go-couchbase as part of setting up fresh connection in its memcached connections pool.
func (*AuthHandler) ForBucket ¶
func (ah *AuthHandler) ForBucket(bucket string) couchbase.AuthHandler
ForBucket method returns copy of AuthHandler that is configured for different bucket.
func (*AuthHandler) GetCredentials ¶
func (ah *AuthHandler) GetCredentials() (string, string, string)
GetCredentials method returns empty creds (it is not supposed to be used in practice).
func (*AuthHandler) SetCredsForRequest ¶
func (ah *AuthHandler) SetCredsForRequest(req *http.Request) error
SetCredsForRequest calls SetRequestAuthVia on given request and authhandler's Authenticator.
type Authenticator ¶
type Authenticator interface { BaseAuthenticator GetHTTPServiceAuth(hostport string) (user, pwd string, err error) // GetMemcachedServiceAuth returns user/password creds given // "admin" access to given memcached service. GetMemcachedServiceAuth(hostport string) (user, pwd string, err error) // RegisterTLSRefreshCallback registers callback for refreshing TLS Config whenever // SSL certificates are refreshed or when client certificate auth state is changed. // Deprecated: Use RegisterConfigRefreshCallback instead. RegisterTLSRefreshCallback(callback TLSRefreshCallback) error // RegisterConfigRefreshCallback registers a callback function that will // be called whenever there is a change in certificates, TLS config or // cluster encryption settings. RegisterConfigRefreshCallback(callback ConfigRefreshCallback) error // GetClientCertAuthType returns the client certificate authentication // type to be used by the web-server. // Deprecated: Use cbauth.GetTLSConfig() instead. GetClientCertAuthType() (tls.ClientAuthType, error) // GetClusterEncryptionConfig returns ClusterEncryptionConfig which indicates // whether the client should used SSL ports for communication and whether // the unencrypted (non-SSL) ports should be disabled. GetClusterEncryptionConfig() (ClusterEncryptionConfig, error) // GetTLSConfig returns TLSConfig structure which includes cipher suites, // min tls version, etc. GetTLSConfig() (TLSConfig, error) // GetUserUuid returns uuid for a user. GetUserUuid(user, domain string) (string, error) // GetUserBuckets returns buckets on which a user has any of the // following permissions to: // - Access documents in any collection in the bucket // - Access collections metadata for any scope in the bucket GetUserBuckets(user, domain string) ([]string, error) GetGuardrailStatuses() (GuardrailStatuses, error) }
Authenticator is main cbauth interface. It supports both incoming and outgoing auth.
var Default Authenticator
Default variable holds default authenticator. Default authenticator is constructed automatically from environment variables passed by ns_server. It is nil if your process was not (correctly) spawned by ns_server.
type BaseAuthenticator ¶ added in v0.1.11
type BaseAuthenticator interface { // AuthWebCreds method extracts credentials from given http request. AuthWebCreds(req *http.Request) (creds Creds, err error) // AuthWebCredsGeneric method extracts credentials from an HTTP request // that is generic (not necessarily using the net/http library) AuthWebCredsGeneric(req httpreq.HttpRequest) (creds Creds, err error) // Auth method constructs credentials from given user and password pair. Auth(user, pwd string) (creds Creds, err error) }
type ClusterEncryptionConfig ¶
type ClusterEncryptionConfig cbauthimpl.ClusterEncryptionConfig
ClusterEncryptionConfig contains info about whether to use SSL ports for communication channels and whether to disable non-SSL ports.
func GetClusterEncryptionConfig ¶
func GetClusterEncryptionConfig() (ClusterEncryptionConfig, error)
type ConfigRefreshCallback ¶
type ConfigRefreshCallback cbauthimpl.ConfigRefreshCallback
ConfigRefreshCallback type describes the callback that is called when there is a change in SSL certificates or TLS Config or cluster encryption config.
type Creds ¶
type Creds interface { // Name method returns user name (e.g. for auditing) Name() string // Domain method returns user domain (for auditing) Domain() string // User method returns user and domain for non auditing purpose. User() (name, domain string) // IsAllowed method returns true if the permission is granted // for these credentials IsAllowed(permission string) (bool, error) }
Creds type represents credentials and answers queries on this creds authorized actions. Note: it'll become (possibly much) wider API in future, but it's main purpose right now is to get us started.
func Auth ¶
Auth method constructs credentials from given user and password pair. Uses default authenticator.
func AuthWebCreds ¶
AuthWebCreds method extracts credentials from given http request using default authenticator.
func AuthWebCredsGeneric ¶ added in v0.1.9
func AuthWebCredsGeneric(req httpreq.HttpRequest) (creds Creds, err error)
AuthWebCredsGeneric method extracts credentials from an HTTP request that is generic (not necessarily using the net/http library)
type DBStaleError ¶
type DBStaleError struct {
Err error
}
DBStaleError is kind of error that signals that cbauth internal state is not synchronized with ns_server yet or anymore.
func (*DBStaleError) Error ¶
func (e *DBStaleError) Error() string
type ExternalAuthenticator ¶ added in v0.1.11
type ExternalAuthenticator interface { BaseAuthenticator // GetNodeUuid returns UUID of the node cbauth is currently connecting to GetNodeUuid() (string, error) // GetClusterUuid returns UUID of the cluster cbauth is currently // connecting to GetClusterUuid() (string, error) // SetExpectedClusterUuid sets the UUID we expect the cluster to be SetExpectedClusterUuid(clusterUUID string) error }
ExternalAuthenticator is cbauth interface for external clients. It supports only incoming auth.
func GetExternalAuthenticator ¶ added in v0.1.11
func GetExternalAuthenticator() ExternalAuthenticator
type GuardrailStatuses ¶ added in v0.1.12
type GuardrailStatuses []cbauthimpl.GuardrailStatus
GuardrailStatuses contains a list of any currently breached guardrails, with their severities. Only guardrails applicable to the service will be included
func GetGuardrailStatuses ¶ added in v0.1.12
func GetGuardrailStatuses() (GuardrailStatuses, error)
type TLSConfig ¶
type TLSConfig cbauthimpl.TLSConfig
TLSConfig contains tls settings to be used by cbauth clients When something in tls config changes user is notified via TLSRefreshCallback
func GetTLSConfig ¶
GetTLSConfig returns current tls config that contains cipher suites, min TLS version, etc.
type TLSRefreshCallback ¶
type TLSRefreshCallback cbauthimpl.TLSRefreshCallback
TLSRefreshCallback type describes callback for reinitializing TLSConfig when ssl certificate or client cert auth setting changes.
type UnknownHostPortError ¶
type UnknownHostPortError string
UnknownHostPortError is returned from GetMemcachedServiceAuth and GetHTTPServiceAuth calls for unknown host:port arguments.
func (UnknownHostPortError) Error ¶
func (s UnknownHostPortError) Error() string
Directories ¶
Path | Synopsis |
---|---|
Package cbauthimpl contains internal implementation details of cbauth.
|
Package cbauthimpl contains internal implementation details of cbauth. |
cmd
|
|
cache-service
@author Couchbase <info@couchbase.com> @copyright 2016 Couchbase, Inc.
|
@author Couchbase <info@couchbase.com> @copyright 2016 Couchbase, Inc. |
Package metakv provides simple KV API to some "metadata store".
|
Package metakv provides simple KV API to some "metadata store". |
Package revrpc provides jsonrpc library that matches ns_server's json_rpc_connection module.
|
Package revrpc provides jsonrpc library that matches ns_server's json_rpc_connection module. |
@author Couchbase <info@couchbase.com> @copyright 2015 Couchbase, Inc.
|
@author Couchbase <info@couchbase.com> @copyright 2015 Couchbase, Inc. |