feat: add a new basic type identity #563
Conversation
|
Let's please add a few more details about the feature to the PR description, and link to the spec (internal, I know). |
|
Just for the record, I'm pasting my little bit of research into the available sha-crypt libraries I could find. I think GehirnInc/crypt is the right choice. |
|
In the latest commit, I have fixed most comments except for the access level part and multiple identity type part. See above comment for more information. |
|
@IronCore864 Can you please merge from master now that the |
| "sort" | ||
| "strings" | ||
|
|
||
| "github.com/GehirnInc/crypt/sha512_crypt" |
There was a problem hiding this comment.
I there any reason why we use this library and not crypto/sha512 for hashing the password ?
There was a problem hiding this comment.
Yes, they're different things: crypto/sha512 is the straight SHA-512 hash algorithm, but GehirnInc/crypt/sha512_crypt implements the SHA-crypt algorithm using SHA-512 hashes and a whole bunch of "rounds" and other stuff I don't understand :-) to make it good for use with passwords (slow and secure, basically).
GehirnInc/crypt/sha512_crypt uses the stdlib's crypt/sha512 in its implementation.
| Local *LocalIdentity | ||
| Basic *BasicIdentity |
There was a problem hiding this comment.
This may have already been debated, but in the global scoped context of identities, would it not be a bit clearer that this refers to an HTTP authentication scheme specifically, and not a basic identity scheme in the generic sense? Or is that fact that this is simply a user / password mapping deliberately made available as a generic type identity? My first thoughts were BasicHTTP, BasicHTTPIdentity ...
There was a problem hiding this comment.
Yeah, in spec review with Gustavo and Harry we originally had "basic-http: ..." and other suggestions, but settled on just "basic" for brevity (not quite as explicit, I know, but it'll also potentially work with other forms of username/password auth, not just Basic HTTP. So I think we'll stick with "basic".
|
Some manual tests: 1 Two Types of Identityidentities:
bob:
access: metrics
basic:
password: $6$F9cFSVEKyO4gB1Wh$8S1BSKsNkF.jBAixGc4W7l80OpfCNk65LZBDHBng3NAmbcHuMj4RIm7992rrJ8YA.SJ0hvm.vGk2z483am4Ym1
local:
user-id: 1001$ ./pebble add-identities --from ./identity.yaml
Added 1 new identity.
$ ./pebble identities
Name Access Types
bob metrics basic,local2 No Password for Basic Typeidentities:
nancy:
access: metrics
basic:
password: 3 Invalid Access Level for Basic Typeidentities:
bob:
access: admin
basic:
password: $6$F9cFSVEKyO4gB1Wh$8S1BSKsNkF.jBAixGc4W7l80OpfCNk65LZBDHBng3NAmbcHuMj4RIm7992rrJ8YA.SJ0hvm.vGk2z483am4Ym1 |
A new "basic" type of identity and "metrics" type of access are added for the upcoming metrics feature.
To expose the upcoming metrics feature over HTTP, we need a certain level of authentication to protect the endpoint. We decided to use HTTP basic authentication for this purpose. A new type of "basic" identity needs to be implemented for this to work, and the access level would be
metrics. The basic identity looks like this:Where the password is generated by
openssl passed -6. The hashed password will be stored in the state, and when the user accesses the metrics endpoint, they need to set theAuthorizationheader accordingly. Pebble daemon will sha512 hash the password and compare it to the identity stored in the state.For more details, see the spec here.