v.io: v.io/x/ref/services/identity/identityd Files

Command identityd

Command identityd runs a daemon HTTP server that uses OAuth to create security.Blessings objects.

Starts an HTTP server that brokers blessings after authenticating through OAuth.

To generate TLS certificates so the HTTP server can use SSL:

go run $(go list -f {{.Dir}} "crypto/tls")/generate_cert.go --host <IP address>

To use Google as an OAuth provider the -google-config-web flag must be set to point to the a JSON file obtained after registering the application with the Google Developer Console at https://cloud.google.com/console

More details on Google OAuth at:

https://developers.google.com/accounts/docs/OAuth2Login

More details on the design of identityd at:

https://vanadium.github.io/designdocs/identity-service.html

Usage:

identityd [flags]

The identityd flags are:

-app-blessings=
  Path to a file containing base64url-vom encoded blessings that will be
  extended with an application identifier and the username of the requestor
  (i.e., a user using a specific app)
-assets-prefix=
  Host serving the web assets for the identity server.
-discharger-location=
  The name of the discharger service. May be rooted. If empty, the published
  name is used.
-external-http-addr=
  External address on which the HTTP server listens on.  If none is provided
  the server will only listen on -http-addr.
-google-config-web=
  Path to JSON-encoded OAuth client configuration for the web application that
  renders the audit log for blessings provided by this provider.
-http-addr=localhost:8125
  Address on which the HTTP server listens on.
-mount-prefix=identity
  Mount name prefix to use.  May be rooted.
-registered-apps=
  Path to the config file for registered oauth clients.
-sql-config=
  Path to configuration file for MySQL database connection. Database is used to
  persist blessings for auditing and revocation. File must contain a JSON
  object of the following form:
     {
      "dataSourceName": "[username[:password]@][protocol[(address)]]/dbname", (the connection string required by go-sql-driver; database name must be specified, query parameters are not supported)
      "tlsDisable": "false|true", (defaults to false; if set to true, uses an unencrypted connection; otherwise, the following fields are mandatory)
      "tlsServerName": "serverName", (the domain name of the SQL server for TLS)
      "rootCertPath": "[/]path/server-ca.pem", (the root certificate of the SQL server for TLS)
      "clientCertPath": "[/]path/client-cert.pem", (the client certificate for TLS)
      "clientKeyPath": "[/]path/client-key.pem" (the client private key for TLS)
     }
  Paths must be either absolute or relative to the configuration file
  directory.
-tls-config=
  Comma-separated list of TLS certificate and private key files, in that order.
  This must be provided.
-user-blessings=
  Path to a file containing base64url-vom encoded blessings that will be
  extended with the username of the requestor.

The global flags are:

-alsologtostderr=true
  log to standard error as well as files
-log_backtrace_at=:0
  when logging hits line file:N, emit a stack trace
-log_dir=
  if non-empty, write log files to this directory
-logtostderr=false
  log to standard error instead of files
-max_stack_buf_size=4292608
  max size in bytes of the buffer to use for logging stack traces
-metadata=<just specify -metadata to activate>
  Displays metadata for the program and exits.
-stderrthreshold=2
  logs at or above this threshold go to stderr
-time=false
  Dump timing information to stderr before exiting the program.
-v=0
  log level for V logs
-v23.credentials=
  directory to use for storing security credentials
-v23.i18n-catalogue=
  18n catalogue files to load, comma separated
-v23.namespace.root=[/(dev.v.io:r:vprod:service:mounttabled)@ns.dev.v.io:8101]
  local namespace root; can be repeated to provided multiple roots
-v23.permissions.file=
  specify a perms file as <name>:<permsfile>
-v23.permissions.literal=
  explicitly specify the runtime perms as a JSON-encoded access.Permissions.
  Overrides all --v23.permissions.file flags
-v23.proxy=
  object name of proxy service to use to export services across network
  boundaries
-v23.proxy.limit=0
  max number of proxies to connect to when the policy is to connect to all
  proxies; 0 implies all proxies
-v23.proxy.policy=
  policy for choosing from a set of available proxy instances
-v23.tcp.address=
  address to listen on
-v23.tcp.protocol=
  protocol to listen with
-v23.virtualized.advertise-private-addresses=
  if set the process will also advertise its private addresses
-v23.virtualized.disallow-native-fallback=false
  if set, a failure to detect the requested virtualization provider will result
  in an error, otherwise, native mode is used
-v23.virtualized.dns.public-name=
  if set the process will use the supplied dns name (and port) without
  resolution for its entry in the mounttable
-v23.virtualized.docker=
  set if the process is running in a docker container and needs to configure
  itself differently therein
-v23.virtualized.provider=
  the name of the virtualization/cloud provider hosting this process if the
  process needs to configure itself differently therein
-v23.virtualized.tcp.public-address=
  if set the process will use this address (resolving via dns if appropriate)
  for its entry in the mounttable
-v23.virtualized.tcp.public-protocol=
  if set the process will use this protocol for its entry in the mounttable
-v23.vtrace.cache-size=1024
  The number of vtrace traces to store in memory
-v23.vtrace.collect-regexp=
  Spans and annotations that match this regular expression will trigger trace
  collection
-v23.vtrace.dump-on-shutdown=true
  If true, dump all stored traces on runtime shutdown
-v23.vtrace.sample-rate=0
  Rate (from 0.0 to 1.0) to sample vtrace traces
-v23.vtrace.v=0
  The verbosity level of the log messages to be captured in traces
-vmodule=
  comma-separated list of globpattern=N settings for filename-filtered logging
  (without the .go suffix).  E.g. foo/bar/baz.go is matched by patterns baz or
  *az or b* but not by bar/baz or baz.go or az or b.*
-vpath=
  comma-separated list of regexppattern=N settings for file pathname-filtered
  logging (without the .go suffix).  E.g. foo/bar/baz.go is matched by patterns
  foo/bar/baz or fo.*az or oo/ba or b.z but not by foo/bar/baz.go or fo*az

Package Files

doc.go main.go

Package main imports 23 packages (graph). Updated 2020-10-22. Refresh now. Tools for package owners.