authn

package
v1.4.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2026 License: MIT Imports: 19 Imported by: 1

Documentation

Overview

Package authn provides AuthN API over HTTP(S)

  • Copyright (c) 2018-2025, NVIDIA CORPORATION. All rights reserved.

Package authn provides AuthN API over HTTP(S)

  • Copyright (c) 2018-2026, NVIDIA CORPORATION. All rights reserved.

Package authn provides AuthN API over HTTP(S)

  • Copyright (c) 2018-2025, NVIDIA CORPORATION. All rights reserved.

Package authn provides AuthN API over HTTP(S)

  • Copyright (c) 2018-2026, NVIDIA CORPORATION. All rights reserved.

Package authn provides AuthN API over HTTP(S)

  • Copyright (c) 2025-2026, NVIDIA CORPORATION. All rights reserved.

Index

Constants

View Source 
const (
	SigningMethodHS256 = "HS256"
	SigningMethodRS256 = "RS256"
)
View Source 
const (
	AdminRole = "Admin"
)
View Source 
const (
	MinAuthExpiration = cos.Duration(time.Minute) // minimum JWT lifetime

)

Constraints

View Source 
const (
	// SigningKeyModeExternal signals that the signing key pair is managed outside this process
	// (e.g. mounted from a secret manager or HSM). Auto-generation and API-driven
	// rotation are disabled; a missing key file is a fatal configuration error.
	SigningKeyModeExternal = "external"
)

Signing key management modes

Variables

This section is empty.

Functions

func AddRole 

func AddRole(bp api.BaseParams, roleSpec *Role) error

func AddUser 

func AddUser(bp api.BaseParams, newUser *User) error

func DeleteRole 

func DeleteRole(bp api.BaseParams, role string) error

func DeleteUser 

func DeleteUser(bp api.BaseParams, userID string) error

func GetJWKS added in v1.4.2 

func GetJWKS(bp api.BaseParams) (*json.RawMessage, error)

GetJWKS returns the raw JSON from the JWKS endpoint While it may be useful to return the parsed jwk.Set here, this avoids requiring all clients (including CLI) to include the jwx library in dependencies

func GetPublicKey added in v1.4.3 

func GetPublicKey(bp api.BaseParams) (string, error)

GetPublicKey returns the public key used by the authN signer when using asymmetric key pairs (e.g. RSA)

func LoadToken 

func LoadToken(tokenFile string) (string, error)

LoadToken retrieves the authentication token from the specified tokenFile, environment variables, or default location (CLI config).

func ParseExternalURL added in v1.4.3 

func ParseExternalURL(raw string) (*url.URL, error)

func RegisterCluster 

func RegisterCluster(bp api.BaseParams, cluSpec CluACL) error

func RevokeToken 

func RevokeToken(bp api.BaseParams, token string) error

func RotateKey added in v1.4.3 

func RotateKey(bp api.BaseParams) error

RotateKey triggers key rotation when using asymmetric keys.

func SetConfig 

func SetConfig(bp api.BaseParams, conf *ConfigToUpdate) error

func UnregisterCluster 

func UnregisterCluster(bp api.BaseParams, spec CluACL) error

func UpdateCluster 

func UpdateCluster(bp api.BaseParams, cluSpec CluACL) error

func UpdateRole 

func UpdateRole(bp api.BaseParams, roleSpec *Role) error

func UpdateUser 

func UpdateUser(bp api.BaseParams, user *User) error

Types

type BckACL 

type BckACL struct {
	Bck    cmn.Bck         `json:"bck"`
	Access apc.AccessAttrs `json:"perm,string"`
}

type CluACL 

type CluACL struct {
	ID     string          `json:"id"`
	Alias  string          `json:"alias,omitempty"`
	URLs   []string        `json:"urls,omitempty"`
	Access apc.AccessAttrs `json:"perm,string,omitempty"`
}

func GetRegisteredClusters 

func GetRegisteredClusters(bp api.BaseParams, spec CluACL) ([]*CluACL, error)

func (*CluACL) String 

func (clu *CluACL) String() string

type Config 

type Config struct {
	Server  ServerConf  `json:"auth"`
	Log     LogConf     `json:"log"`
	Net     NetConf     `json:"net"`
	Timeout TimeoutConf `json:"timeout"`
}

func GetConfig 

func GetConfig(bp api.BaseParams) (*Config, error)

func (*Config) Init added in v1.3.24 

func (c *Config) Init()

func (*Config) JspOpts 

func (*Config) JspOpts() jsp.Options

func (*Config) Secret 

func (c *Config) Secret() cmn.Censored

func (*Config) Validate added in v1.4.3 

func (c *Config) Validate() error

func (*Config) Verbose added in v1.3.18 

func (c *Config) Verbose() bool

type ConfigToUpdate 

type ConfigToUpdate struct {
	Server *ServerConfToSet `json:"auth"`
}

func (*ConfigToUpdate) Validate added in v1.4.3 

func (cu *ConfigToUpdate) Validate() error

type DatabaseConf added in v1.4.3 

type DatabaseConf struct {
	DBType   string `json:"type"`
	Filepath string `json:"filepath"`
}

type HTTPConf 

type HTTPConf struct {
	Certificate string `json:"server_crt"`
	Key         string `json:"server_key"`
	Port        int    `json:"port"`
	UseHTTPS    bool   `json:"use_https"`
}

func (*HTTPConf) Validate added in v1.4.3 

func (c *HTTPConf) Validate() error

type LogConf 

type LogConf struct {
	Dir           string       `json:"dir"`
	Level         string       `json:"level"`
	FlushInterval cos.Duration `json:"flush_interval"`
}

func (*LogConf) Validate added in v1.4.3 

func (c *LogConf) Validate() error

type LoginMsg 

type LoginMsg struct {
	ExpiresIn *time.Duration `json:"expires_in"`
	Password  string         `json:"password"`
}

type NetConf 

type NetConf struct {
	ExternalURL string   `json:"external_url"`
	HTTP        HTTPConf `json:"http"`
}

func (*NetConf) Validate added in v1.4.3 

func (c *NetConf) Validate() error

type OIDCConfiguration added in v1.4.2 

type OIDCConfiguration struct {
	Issuer                           string   `json:"issuer"`
	TokenEndpoint                    string   `json:"token_endpoint"`
	UserinfoEndpoint                 string   `json:"userinfo_endpoint,omitempty"`
	JWKSURI                          string   `json:"jwks_uri"`
	IDTokenSigningAlgValuesSupported []string `json:"id_token_signing_alg_values_supported"`
}

OIDCConfiguration -- Partial implementation of OIDC spec: https://openid.net/specs/openid-connect-discovery-1_0.html

func GetOIDCConfig added in v1.4.2 

func GetOIDCConfig(bp api.BaseParams) (*OIDCConfiguration, error)

func NewOIDCConfiguration added in v1.4.2 

func NewOIDCConfiguration(base *url.URL) *OIDCConfiguration

type PubKeyMsg added in v1.4.3 

type PubKeyMsg struct {
	PublicKey string `json:"public_key"`
}

type RegisteredClusters 

type RegisteredClusters struct {
	Clusters map[string]*CluACL `json:"clusters,omitempty"`
}

type Role 

type Role struct {
	Name        string    `json:"name"`
	Description string    `json:"desc"`
	ClusterACLs []*CluACL `json:"clusters"`
	BucketACLs  []*BckACL `json:"buckets"`
	IsAdmin     bool      `json:"admin"`
}

func GetAllRoles 

func GetAllRoles(bp api.BaseParams) ([]*Role, error)

func GetRole 

func GetRole(bp api.BaseParams, roleID string) (*Role, error)

type ServerConf 

type ServerConf struct {
	Secret string `json:"secret"`
	// Default lifetime for issued JWT
	Expire cos.Duration `json:"expiration_time"`
	// Max JWT lifetime
	MaxTokenAge cos.Duration `json:"max_token_age"`
	// Only used for validating signing key public key against AIS clusters
	PubKey *string `json:"public_key"`
	// Deprecated: use signing_key.bits instead.
	RSAKeyBits int `json:"rsa_key_bits,omitempty"`
	// Config for key signing -- currently only RSA is supported
	SigningKey SigningKeyConf `json:"signing_key"`
	// Config for authN database
	DBConf DatabaseConf `json:"db"`
	// contains filtered or unexported fields
}

func (*ServerConf) Validate added in v1.4.3 

func (c *ServerConf) Validate() error

type ServerConfToSet added in v1.3.21 

type ServerConfToSet struct {
	Secret *string       `json:"secret,omitempty"`
	Expire *cos.Duration `json:"expiration_time,omitempty"`
}

type SigningKeyConf added in v1.4.5 

type SigningKeyConf struct {
	Bits int `json:"bits,omitempty"`
	// "external": key is managed outside this process; auto-generation and API rotation are disabled
	Mode string `json:"mode,omitempty"`
}

type TimeoutConf 

type TimeoutConf struct {
	Default cos.Duration `json:"default_timeout"`
}

TimeoutConf sets the default timeout for the HTTP client used by the auth manager

func (*TimeoutConf) Validate added in v1.4.3 

func (c *TimeoutConf) Validate() error

type TokenList 

type TokenList struct {
	Tokens  []string `json:"tokens"`
	Version int64    `json:"version,string"`
}

TokenList is a list of tokens pushed by authn

type TokenMsg 

type TokenMsg struct {
	Token string `json:"token"`
}

func LoginUser 

func LoginUser(bp api.BaseParams, userID, pass string, expire *time.Duration) (token *TokenMsg, err error)

Authorize a user and return a user token in case of success. The token expires in `expire` time. If `expire` is `nil` the expiration time is set by AuthN (default AuthN expiration time is 24 hours)

func (*TokenMsg) JspOpts 

func (*TokenMsg) JspOpts() jsp.Options

type User 

type User struct {
	ID       string  `json:"id"`
	Password string  `json:"pass,omitempty"`
	Roles    []*Role `json:"roles"`
}

func GetAllUsers 

func GetAllUsers(bp api.BaseParams) ([]*User, error)

func GetUser 

func GetUser(bp api.BaseParams, userID string) (*User, error)

func (*User) IsAdmin 

func (u *User) IsAdmin() bool

IsAdmin returns true if the user is an admin or super-user, i.e. the user has full access to everything.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.