configauth

package
v0.27.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 18, 2021 License: Apache-2.0 Imports: 7 Imported by: 19

README

Authentication configuration for receivers

This module allows server types, such as gRPC and HTTP, to be configured to perform authentication for requests and/or RPCs. Each server type is responsible for getting the request/RPC metadata and passing down to the authenticator.

The currently known authenticators:

Examples:

extensions:
  oidc:
    # see the blog post on securing the otelcol for information
    # on how to setup an OIDC server and how to generate the TLS certs
    # required for this example
    # https://medium.com/opentelemetry/securing-your-opentelemetry-collector-1a4f9fa5bd6f
    issuer_url: http://localhost:8080/auth/realms/opentelemetry
    audience: account

receivers:
  otlp/with_auth:
    protocols:
      grpc:
        endpoint: localhost:4318
        tls_settings:
          cert_file: /tmp/certs/cert.pem
          key_file: /tmp/certs/cert-key.pem
        auth:
          ## oidc is the extension name to use as the authenticator for this receiver
          authenticator: oidc

Creating an authenticator

New authenticators can be added by creating a new extension that also implements the configauth.Authenticator extension. Generic authenticators that may be used by a good number of users might be accepted as part of the core distribution, or as part of the contrib distribution. If you have interest in contributing one authenticator, open an issue with your proposal.

For other cases, you'll need to include your custom authenticator as part of your custom OpenTelemetry Collector, perhaps being built using the OpenTelemetry Collector Builder.

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DefaultGrpcStreamServerInterceptor added in v0.26.0

func DefaultGrpcStreamServerInterceptor(srv interface{}, stream grpc.ServerStream, _ *grpc.StreamServerInfo, handler grpc.StreamHandler, authenticate AuthenticateFunc) error

DefaultGrpcStreamServerInterceptor provides a default implementation of GrpcStreamInterceptorFunc, useful for most authenticators. It extracts the headers from the incoming request, under the assumption that the credentials will be part of the resulting map.

func DefaultGrpcUnaryServerInterceptor added in v0.26.0

func DefaultGrpcUnaryServerInterceptor(ctx context.Context, req interface{}, _ *grpc.UnaryServerInfo, handler grpc.UnaryHandler, authenticate AuthenticateFunc) (interface{}, error)

DefaultGrpcUnaryServerInterceptor provides a default implementation of GrpcUnaryInterceptorFunc, useful for most authenticators. It extracts the headers from the incoming request, under the assumption that the credentials will be part of the resulting map.

Types

type AuthenticateFunc added in v0.26.0

type AuthenticateFunc func(ctx context.Context, headers map[string][]string) error

AuthenticateFunc defines the signature for the function responsible for performing the authentication based on the given headers map. See Authenticator.Authenticate.

type Authentication

type Authentication struct {
	// Authenticator specifies the name of the extension to use in order to authenticate the incoming data point.
	AuthenticatorName string `mapstructure:"authenticator"`
}

Authentication defines the auth settings for the receiver

type Authenticator added in v0.12.0

type Authenticator interface {
	component.Extension

	// Authenticate checks whether the given headers map contains valid auth data. Successfully authenticated calls will always return a nil error.
	// When the authentication fails, an error must be returned and the caller must not retry. This function is typically called from interceptors,
	// on behalf of receivers, but receivers can still call this directly if the usage of interceptors isn't suitable.
	// The deadline and cancellation given to this function must be respected, but note that authentication data has to be part of the map, not context.
	Authenticate(ctx context.Context, headers map[string][]string) error

	// GrpcUnaryServerInterceptor is a helper method to provide a gRPC-compatible UnaryServerInterceptor, typically calling the authenticator's Authenticate method.
	// While the context is the typical source of authentication data, the interceptor is free to determine where the auth data should come from. For instance, some
	// receivers might implement an interceptor that looks into the payload instead.
	// Once the authentication succeeds, the interceptor is expected to call the handler.
	// See https://pkg.go.dev/google.golang.org/grpc#UnaryServerInterceptor.
	GrpcUnaryServerInterceptor(ctx context.Context, req interface{}, srvInfo *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error)

	// GrpcStreamServerInterceptor is a helper method to provide a gRPC-compatible StreamServerInterceptor, typically calling the authenticator's Authenticate method.
	// While the context is the typical source of authentication data, the interceptor is free to determine where the auth data should come from. For instance, some
	// receivers might implement an interceptor that looks into the payload instead.
	// Once the authentication succeeds, the interceptor is expected to call the handler.
	// See https://pkg.go.dev/google.golang.org/grpc#StreamServerInterceptor.
	GrpcStreamServerInterceptor(srv interface{}, stream grpc.ServerStream, srvInfo *grpc.StreamServerInfo, handler grpc.StreamHandler) error
}

Authenticator is an Extension that can be used as an authenticator for the configauth.Authentication option. Authenticators are then included as part of OpenTelemetry Collector builds and can be referenced by their names from the Authentication configuration. Each Authenticator is free to define its own behavior and configuration options, but note that the expectations that come as part of Extensions exist here as well. For instance, multiple instances of the same authenticator should be possible to exist under different names.

func GetAuthenticator added in v0.26.0

func GetAuthenticator(extensions map[config.ComponentID]component.Extension, requested string) (Authenticator, error)

GetAuthenticator attempts to select the appropriate from the list of extensions, based on the requested extension name. If an authenticator is not found, an error is returned.

type GrpcStreamInterceptorFunc added in v0.26.0

type GrpcStreamInterceptorFunc func(srv interface{}, stream grpc.ServerStream, info *grpc.StreamServerInfo, handler grpc.StreamHandler, authenticate AuthenticateFunc) error

GrpcStreamInterceptorFunc defines the signature for the function intercepting streaming gRPC calls, useful for authenticators to use as types for internal structs, making it easier to mock them in tests. See Authenticator.GrpcStreamServerInterceptor.

type GrpcUnaryInterceptorFunc added in v0.26.0

type GrpcUnaryInterceptorFunc func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler, authenticate AuthenticateFunc) (interface{}, error)

GrpcUnaryInterceptorFunc defines the signature for the function intercepting unary gRPC calls, useful for authenticators to use as types for internal structs, making it easier to mock them in tests. See Authenticator.GrpcUnaryServerInterceptor.

type MockAuthenticator added in v0.26.0

type MockAuthenticator struct {
	// AuthenticateFunc to use during the authentication phase of this mock. Optional.
	AuthenticateFunc AuthenticateFunc
}

MockAuthenticator provides a testing mock for code dealing with authentication.

func (*MockAuthenticator) Authenticate added in v0.26.0

func (m *MockAuthenticator) Authenticate(ctx context.Context, headers map[string][]string) error

Authenticate executes the mock's AuthenticateFunc, if provided, or just returns the given context unchanged.

func (*MockAuthenticator) GrpcStreamServerInterceptor added in v0.26.0

func (m *MockAuthenticator) GrpcStreamServerInterceptor(interface{}, grpc.ServerStream, *grpc.StreamServerInfo, grpc.StreamHandler) error

GrpcStreamServerInterceptor isn't currently implemented and always returns nil.

func (*MockAuthenticator) GrpcUnaryServerInterceptor added in v0.26.0

func (m *MockAuthenticator) GrpcUnaryServerInterceptor(context.Context, interface{}, *grpc.UnaryServerInfo, grpc.UnaryHandler) (interface{}, error)

GrpcUnaryServerInterceptor isn't currently implemented and always returns nil.

func (*MockAuthenticator) Shutdown added in v0.26.0

func (m *MockAuthenticator) Shutdown(ctx context.Context) error

Shutdown isn't currently implemented and always returns nil.

func (*MockAuthenticator) Start added in v0.26.0

Start isn't currently implemented and always returns nil.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL