This REST API service works with Ambassador on Kubernetes in order to authorize and authanticate the client.
This REST API service accepts any path and any methods, and checks the Authorization Header of HTTP Request. In this version, Bearer Token Authorization and Basic Authorization are acceptable.
The authrization and authentication flow is like below:
- If request host does not match any
hosts, this service responds403 Forbidden. - If request path contains
no_auths.allowed_pathsassociated with the host, this service responds200 OK. - If request host matches but Authorization Header does not exist, this service always responds with
401 Unauhtorized. - If Bearer Token does not exist in
bearer_tokensassociated with the host, this service responds with401 Unauthorized. - If Bearer Token exists but requested path does not exist in
bearer_tokens[?].allowed_pathsassociated with the host and Token, this service responds403 Forbidden. - If a set of username and password does not exist in
basic_authsassociated with the host, this service responds with401 Unauthorized. - If valid username and password exists but requested path does not exist in
basic_auths[?].allowed_pathsassociated with the host and user, this service responds403 Forbidden. - otherwise, this service responds
200 OK.
This REST API service is assumed to work with Ambassador on Kubernetes.
- set your tokens as the json like below.
hostandallowed_pathscan accept "rgular expression".
[
{
"host": "<<1st_FQDN_regex>>",
"settings": {
"bearer_tokens": [
{
"token": "<<token1>>",
"allowed_paths": ["<<allowed_path1_regex>>", "<<allowed_path2_regex>>", ...]
}, {
...
}
],
"basic_auths": [
{
"username": "<<user1>>",
"password": "<<password_of_user1>>",
"allowed_paths": ["<<allowed_path1_regex>>", "<<allowed_path2_regex>>", ...]
}, {
...
}
],
"no_auths": {
"allowed_paths": ["<<allowed_path1_regex>>", "<<allowed_path2_regex>>", ...]
}
}
},
{
"host": "<<2nd_FQDN_regex>>",
"settings": {
...
}
}
]
example:
[ { "host": "^api\\..+$", "settings": { "bearer_tokens": [ { "token": "cTHMfPsSDbPd8y4TcsiNg2CnI0Y5mpfl", "allowed_paths": ["^/path1/.*$", "^/path2/\\d+/.*.*$"] }, { "token": "Q0H83rnkIUVPSnoQb9UpZkEXIb42b5x9", "allowed_paths": ["^/path1/.*$"] } ], "basic_auths": [], "no_auths": {} } }, { "host": "^web\\..+$", "settings": { "bearer_tokens": [], "basic_auths": [ { "username": "admin", "password": "0YziWgALc6PCXgwt4rn8qVxX6iANBRvl", "allowed_paths": ["^/management/users/$", "^/management/pages/.*$"] }, { "username": "user1", "password": "0YziWgALc6PCXgwt4rn8qVxX6iANBRvl", "allowed_paths": ["^/management/pages/.*$"] } ], "no_auths": { "allowed_paths": ["^.*/static/.*$"] } } } ]
- You can set your tokens as an environment variable (
AUTH_TOKENS) or json file path (AUTH_TOKENS_PATH).
- When you use the environment variable, you have to set your json string as
AUTH_TOKENS. - After this program starts, your changes will not be applied even if you change your environment variable.
- When you use the JSON file, you have to set your json file path as
AUTH_TOKENS_PATH. - When you change your json file, your change will be applied even if this program has already started.
-
Pull container roboticbase/fiware-ambassador-auth from DockerHub.
$ docker pull roboticbase/fiware-ambassador-auth
-
Run Container.
-
If you want to change exposed port, set the
LISTEN_PORTenvironment variable. -
run container using an environment variable.
$ docker run -d -e AUTH_TOKENS="$(cat auth-tokens.json)" -e LISTEN_PORT=3000 -p 3000:3000 roboticbase/fiware-ambassador-auth:0.3.0 -
run container using a json file.
$ docker run -d -e AUTH_TOKENS_PATH="$(pwd)/auth-tokens.json" -e LISTEN_PORT=3000 -p 3000:3000 roboticbase/fiware-ambassador-auth:0.3.0
-
-
go get
$ go get -u github.com/RoboticBase/fiware-ambassador-auth $ cd ${GOPATH}/src/github.com/RoboticBase/fiware-ambassador-auth
-
install dependencies
$ go get -u github.com/golang/dep/cmd/dep $ dep ensure
-
go install
$ go install github.com/RoboticBase/fiware-ambassador-auth
-
run service
$ env LISTEN_PORT=3000 ${GOPATH}/bin/fiware-ambassador-auth
Copyright (c) 2018-2019 TIS Inc.