aaasvc

command module
v0.0.0-...-d389ac1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 12, 2024 License: Apache-2.0 Imports: 1 Imported by: 0

README

Choria AAA Service

Overview

Choria is traditionally a loosely coupled system with very few central components. When a user makes a RPC request the request has a public certificate attached and every single node they interact with does RBAC.

That default deployment method has no dependencies per request and scales very well but it can be difficult to manage, rotate and audit who has access credentials. This package provides a system that issues short-lived JWT tokens and authorize and audit each request centrally prior to communicating with any fleet nodes.

The main motivation is to avoid the problems caused by having to do Certificate Management and Fleet wide static Action Policies for every user, instead you have a central login and central authority who does AAA for every request. This is more appropriate to the typical Enterprise environment.

With this deployed the workflow becomes:

$ choria ping
FATA[0000] Could not run Choria: could not perform request: error from remote signer: Request denied

$ mco login
Username (rip):
Password:
Token saved to /home/user/.choria/client.jwt

$ choria ping
...
---- ping statistics ----
19 replies max: 161.60 min: 131.23 avg: 151.21

The token is valid for a configurable period after which time another choria login will be required. Users are able to perform only the actions that they are entitled. Users have no SSL certificates of their own - a system-wide certificate might be needed to connect to middleware if configured to require TLS.

Go Report Card CodeQL Unit Tests

Documentation

The Go Gopher

There is no documentation for this package.

Source Files

View all Source files

Directories

Path Synopsis
api
gen/models
gen/restapi
Package restapi Choria Central Signing Service
 Package restapi Choria Central Signing Service
gen/restapi/operations
jetstream
Package jetstream implements a auditor that publishes audit logs to NATS JetStream
 Package jetstream implements a auditor that publishes audit logs to NATS JetStream
logfile
Package logfile is a auditor that simply logs to a file
 Package logfile is a auditor that simply logs to a file
notification
userlist
Package userlist provide a static configuration based authentication system
 Package userlist provide a static configuration based authentication system
actionlist
Package actionlist is a Authorizer that looks at specific claims in a JWT token and allow requests based on the approved list of actions.
 Package actionlist is a Authorizer that looks at specific claims in a JWT token and allow requests based on the approved list of actions.
opa
Package opa is a Authorizer that reads Open Policy Agent Rego policies from a `opa_policy` claim in a JWT token and allow requests based on evaluation of the policy
 Package opa is a Authorizer that reads Open Policy Agent Rego policies from a `opa_policy` claim in a JWT token and allow requests based on evaluation of the policy
basicjwt
Package basicjwt is a signer that parse a JWT token and approves requests based on the claims within it.
 Package basicjwt is a signer that parse a JWT token and approves requests based on the claims within it.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.