-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
commit 3a1fca1 Author: Ľubomír Wassermann <76479559+lubomirw@users.noreply.github.com> Date: Tue Oct 25 06:34:45 2022 +0200 Update README.md
- Loading branch information
Showing
1 changed file
with
2 additions
and
60 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,61 +1,3 @@ | ||
| # CZERTAINLY Auth Service | ||
| # CONCZERT PLAYGROUND - CZERTAINLY Auth Service | ||
|
|
||
| > This repository is part of the commercial open source project CZERTAINLY. You can find more information about the project at [CZERTAINLY](https://github.com/3KeyCompany/CZERTAINLY) repository, including the contribution guide. | ||
| `Auth` service is designed as a central service for managing access control to different resources and related actions and objects, and identify users based on identification token. | ||
|
|
||
| `Auth` service offers the following functionality: | ||
| - identification of user | ||
| - management of roles | ||
| - management of users and their roles membership | ||
| - management of resources and related actions | ||
| - management of role permissions for specific resources and related actions | ||
| - issuing authorization tokens | ||
|
|
||
| User can belong to multiple roles and permissions are merged in this case from all assigned roles. | ||
|
|
||
| > **Note** | ||
| > The authorization is performed by the OPA. The `Auth` service manages users, roles, and associated permissions that can be assigned to users. | ||
| ## Authentication flow | ||
|
|
||
| Users can be identified based on identification token provided in this order: | ||
| 1. X.509 certificate | ||
| 2. JSON ID | ||
| 3. Username of system user | ||
|
|
||
| After successful identification, user details with its merged role permissions is returned. If none of the above specified data is present, user is identified as **anonymous** user with limited permissions. | ||
|
|
||
| ### X.509 certificate | ||
|
|
||
| When identifying user with certificate, its content string is decoded and parsed. | ||
| Afterwards it is verified if it is valid and trusted. | ||
|
|
||
| Then, based on its fingerprint, it is mapped to user from database and return authentication response. | ||
| The certificate can be assigned to maximum of 1 user. | ||
|
|
||
| ### JSON ID | ||
|
|
||
| When identifying user with JSON ID, it is decoded and must conform to the required structure. | ||
| Username specified in the JSON ID is used as unique information based on which user is identified. | ||
|
|
||
| `Auth` service can be further configured to create user or role, if it does not exist. | ||
|
|
||
| ### Username of system user | ||
|
|
||
| Username is used only for internal identification of system users to elevate permissions and perform actions that are otherwise subject to authorization. This is not exposed for the external systems. | ||
|
|
||
| ## Authorization | ||
|
|
||
| This service does not evaluate permissions. | ||
| The authorization is controlled by the [Open Policy Agent](https://www.openpolicyagent.org/). For more information, refer to [CZERTAINLY Documentation](https://docs.czertainly.com/docs/concept-design/architecture/access-control). | ||
|
|
||
| ## Docker container | ||
|
|
||
| `Auth` service is provided as a Docker container. Use the `3keycompany/czertainly-auth:tagname` to pull the required image from the repository. It can be configured using the following environment variables: | ||
|
|
||
| | Variable | Description | Required | Default value | | ||
| |------------------------------|----------------------------------------------------------------------------------------------------|----------------------------------------------------|---------------| | ||
| | `AUTH_DB_CONNECTION_STRING` | Connection string for database access |  | `N/A` | | ||
| | `AUTH_CREATE_UNKNOWN_USERS` | Unknown user with username specified in JSON authentication token will be created |  | `false` | | ||
| | `AUTH_CREATE_UNKNOWN_ROLES` | Unknown role with name specified in JSON authentication token will be created and assigned to user |  | `false` | | ||
| > This repository is part of the commercial open source project CZERTAINLY. You can find more information about the project at [CZERTAINLY](https://github.com/3KeyCompany/CZERTAINLY) repository, including the contribution guide. |