pachyderm: Index | Files

package server

import ""


Package Files

api_server.go config.go oidc.go saml.go


const (
    // DisableAuthenticationEnvVar specifies an environment variable that, if set, causes
    // Pachyderm authentication to ignore github and authmatically generate a
    // pachyderm token for any username in the AuthenticateRequest.GitHubToken field

    // SamlPort is the port where SAML ID Providers can send auth assertions
    SamlPort = 654

    // OidcPort is the port where OIDC ID Providers can send auth assertions
    OidcPort = 657


var DefaultAuthConfig = auth.AuthConfig{
    LiveConfigVersion: 1,
    IDProviders: []*auth.IDProvider{
            Name:        "GitHub",
            Description: "oauth-based authentication with",
            GitHub:      &auth.IDProvider_GitHubOptions{},

DefaultAuthConfig is the default config for the auth API server

var DefaultDashRedirectURL = &url.URL{
    Scheme: "http",
    Host:   "localhost:30080",

    Path: path.Join("/", "auth", "autologin"),

DefaultDashRedirectURL is the default URL used for redirecting the dashboard

func CryptoString Uses

func CryptoString(n int) string

CryptoString returns a cryptographically random, URL safe string with length at least n

TODO(msteffen): move away from UUIDv4 towards this (current implementation of UUIDv4 produces UUIDs via CSPRNG, but the UUIDv4 spec doesn't guarantee that behavior, and we shouldn't assume it going forward)

func GitHubTokenToUsername Uses

func GitHubTokenToUsername(ctx context.Context, oauthToken string) (string, error)

GitHubTokenToUsername takes a OAuth access token issued by GitHub and uses it discover the username of the user who obtained the code (or verify that the code belongs to githubUsername). This is how Pachyderm currently implements authorization in a production cluster

type APIServer Uses

type APIServer interface {

APIServer represents an auth api server

func NewAuthServer Uses

func NewAuthServer(
    env *serviceenv.ServiceEnv,
    txnEnv *txnenv.TransactionEnv,
    etcdPrefix string,
    public bool,
) (APIServer, error)

NewAuthServer returns an implementation of auth.APIServer.

type InternalOIDCProvider Uses

type InternalOIDCProvider struct {

    // Prefix indicates the user-specified name given to this ID provider in the
    // Pachyderm auth config (i.e. taken from the IDP.Name field)
    Prefix string

    // Provider generates the ID provider login URL returned by GetOIDCLogin
    Provider *oidc.Provider

    // Issuer is the address of the OIDC ID provider (where we exchange
    // authorization codes for access tokens and get users' email addresses in
    // Authorize())
    Issuer string

    // ClientID is Pachyderm's identifier in the OIDC ID provider (generated by
    // the ID provider, and passed to Pachyderm by the cluster administrator via
    // SetConfig)
    ClientID string

    // ClientSecret is a shared secret with the ID provider, for doing the
    // auth-code -> access-token exchange.
    ClientSecret string

    // RedirectURI is used by GetOIDCLogin to generate a login URL that redirects
    // users back to Pachyderm (must be provided by the cluster administrator via
    // SetConfig, as only they know their network topology & Pachyderm's address
    // within it, and must be included in login URLs)
    RedirectURI string

    // States is an etcd collection containing the state information associated
    // with every in-progress authentication session. /authorization-code/callback
    // places users' ID tokens in here when they authenticate successfully, and
    // Authenticate() retrieves those ID tokens, converts them to Pachyderm
    // tokens, and returns users' Pachyderm tokens back to them--all scoped to the
    // OIDC state token identifying the login session
    States col.Collection
    // contains filtered or unexported fields

InternalOIDCProvider contains information about the configured OIDC ID provider, as well as auth information identifying Pachyderm in the ID provider (ClientID and ClientSecret), which Pachyderm needs to perform authorization with it.

func (*InternalOIDCProvider) GetOIDCLoginURL Uses

func (o *InternalOIDCProvider) GetOIDCLoginURL(ctx context.Context) (string, string, error)

GetOIDCLoginURL uses the given state to generate a login URL for the OIDC provider object

func (*InternalOIDCProvider) OIDCStateToEmail Uses

func (o *InternalOIDCProvider) OIDCStateToEmail(ctx context.Context, state string) (email string, retErr error)

OIDCStateToEmail takes the state token created for the OIDC session and uses it discover the email of the user who obtained the code (or verify that the code belongs to them). This is how Pachyderm currently implements OIDC authorization in a production cluster

Package server imports 44 packages (graph) and is imported by 4 packages. Updated 2020-08-09. Refresh now. Tools for package owners.