Local user/key authentication service

Contents

• Local user/key authentication service

  • Setup

  • EAPI methods

    • auth.key

    • auth.user

    • key.deploy

    • key.destroy

    • key.export

    • key.get

    • key.get_config

    • key.list

    • key.regenerate

    • key.undeploy

    • password.hash

    • user.create_one_time

    • user.deploy

    • user.destroy

    • user.export

    • user.get_config

    • user.list

    • user.set_password

    • user.undeploy

Local user/API key authentication service, see Authentication, authorization and accounting for more details.

Setup

Use the template EVA_DIR/share/svc-tpl/svc-tpl-aaa-localauth.yml:

# Local users and API keys service
command: svc/eva-aaa-localauth
bus:
  path: var/bus.ipc
config:
  # ACL service
  acl_svc: eva.aaa.acl
  # OTP service
  #otp_svc: eva.aaa.otp
  # allow one-time users
  one_time:
    # one-time user account expiration (sec)
    expires: 10
user: nobody

Create the service using eva-shell:

eva svc create eva.aaa.localauth /opt/eva4/share/svc-tpl/svc-tpl-aaa-localauth.yml

or using the bus CLI client:

cd /opt/eva4
cat DEPLOY.yml | ./bin/yml2mp | \
    ./sbin/bus ./var/bus.ipc rpc call eva.core svc.deploy -

(see eva.core::svc.deploy for more info)

EAPI methods

See EAPI commons for the common information about the bus, types, errors and RPC calls.

auth.key

Description	Authenticates a client using API key
Parameters	required
Returns	The method returns errors if auth is not successful

Parameters

Name	Type	Description	Required
key	String	API key value	yes
timeout	f64	Max operation timeout	no

auth.user

Description	Authenticates a client using a local user account
Parameters	required
Returns	The method returns errors if auth is not successful

Parameters

Name	Type	Description	Required
login	String	Account login	yes
password	String	Account password (plain text)	yes
timeout	f64	Max operation timeout	no

key.deploy

Description	Deploys API keys
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
keys	Vec<struct>	API keys (same as got in key.export)	yes

key.destroy

Description	Destroy a single API key
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
i	String	API key ID	yes

key.export

Description	Export API keys as a deployment
Parameters	required
Returns	API key deployment struct

Parameters

Name	Type	Description	Required
i	String	API key ID (can be mask)	yes

Return payload example:

{
    "keys": [
        {
            "acls": [
                "default"
            ],
            "id": "default",
            "key": "defaultXXX"
        }
    ]
}

key.get

Description	Get a single API key value
Parameters	required
Returns	API key ID/key value

Parameters

Name	Type	Description	Required
i	String	API key ID	yes

Return payload example:

{
    "id": "default",
    "key": "defaultXXX"
}

key.get_config

Description	Get configuration of a single API key
Parameters	required
Returns	API key configuration

Parameters

Name	Type	Description	Required
i	String	API key ID	yes

Return payload example:

{
    "acls": [
        "default"
    ],
    "id": "default",
    "key": "defaultXXX"
}

key.list

Description	List API keys
Parameters	none
Returns	List of defined API keys, they values and assigned ACLs

Return payload example:

[
    {
        "acls": [
            "admin"
        ],
        "id": "admin",
        "key": "mykey"
    },
    {
        "acls": [
            "default"
        ],
        "id": "default",
        "key": "defaultXXX"
    },
    {
        "acls": [],
        "id": "default-v3",
        "key": "default123"
    },
    {
        "acls": [
            "ui_all",
            "ui_default"
        ],
        "id": "ui",
        "key": "ij31i3j21345"
    },
    {
        "acls": [
            "ui_default"
        ],
        "id": "uid",
        "key": "YHiT172ani2KGoTUPSurSA1Rx6n7TVnL"
    }
]

key.regenerate

Description	Re-generates key value of API key
Parameters	required
Returns	API key configuration with a new key value

Parameters

Name	Type	Description	Required
i	String	API key ID	yes

Return payload example:

{
    "acls": [
        "default"
    ],
    "id": "default",
    "key": "uULa5QSORbEJX1QM3RYeC2kVwcVlg2zC"
}

key.undeploy

Description	Undeploy API keys
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
keys	Vec<struct/String>	API keys or a list of API key IDs	yes

password.hash

Description	Hashes the password with the requested algorithm
Parameters	required
Returns	password hash

Parameters

Name	Type	Description	Required
password	String	Plain password string string to hash	yes
algo	String	sha256, sha512 or pbkdf2	yes

Return payload example:

{
    "hash": "$1$CaqoIL8WXkDnqnwMXLeW5g==$qXQVPbRibRSomjtzKuyOePv59lx3eAQUR3yqAUS4YoE="
}

user.create_one_time

Description	Creates an one-time temporary user account, which is auto-deleted after the first login
Parameters	required
Returns	One-time account credentials

Parameters

Name	Type	Description	Required
acls	String	ACL IDs	yes
login	String	included into one-time login as OT.$login.$RANDOM	no

Return payload example:

{
    "login": "OT.test.eHlrGMgPlpqKmzTr",
    "password": "QZoz0jYRaL2BSdKc"
}

user.deploy

Description	Deploys local user accounts
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
users	Vec<struct>	Users (same as got in user.export, note: passwords must be sha256-hashed)	yes

user.destroy

Description	Destroy a single local user account
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
i	String	User login	yes

user.export

Description	Exports local user accounts as a deployment
Parameters	required
Returns	User accounts deployment struct

Parameters

Name	Type	Description	Required
i	String	Login (can be mask)	yes

Return payload example:

{
    "users": [
        {
            "acls": [
                "ui_default",
                "ui_all"
            ],
            "login": "operator",
            "password": "cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860"
        }
    ]
}

user.get_config

Description	Get configuration of a single user account
Parameters	required
Returns	User account configuration

Parameters

Name	Type	Description	Required
i	String	API key ID	yes

Return payload example:

{
    "acls": [
        "ui_default",
        "ui_all"
    ],
    "login": "operator",
    "password": "cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860"
}

user.list

Description	List local user accounts
Parameters	none
Returns	List of defined local user accounts, the ACLs and password hashes

Return payload example:

[
    {
        "acls": [
            "admin"
        ],
        "login": "admin",
        "password": "cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860"
    },
   {
        "acls": [
            "ui_default",
            "ui_all"
        ],
        "login": "operator",
        "password": "cd2eb0837c9b4c962c22d2ff8b5441b7b45805887f051d39bf133b583baf6860"
    }
]

user.set_password

Description	Changes user’s password. Does not require the current one, so consider calling *auth.user before*
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
i	String	User login	yes
password	String	New password (plain text)	yes

user.undeploy

Description	Undeploy local users
Parameters	required
Returns	nothing

Parameters

Name	Type	Description	Required
users	Vec<struct/String>	User structs or a list of user logins	yes