Implement an authenticator based on the domain socket peer credential #200
Labels
multitenancy
Getting Parsec to provide isolated key stores for multiple clients based on an identity mechanism
Projects
Summary
Implement a new front-end authenticator module that uses domain socket peer credentials to deduce and validate the client application identity.
Rationale
In the specific case where domain socket is being used as the transport, and a peer property (such as UID, GID or PID) can be used as a sufficient differentiator for the application identity, it allows for a simple means of identity management without a separate identity provider component.
Constraints
This authenticator can only be used with domain socket transport, because the notion of peer credentials only exists in that case. It can also only be used when some aspect of the peer credential is a suitable token of application identity. (Typically this would be the UID, but it could also be the GID - theoretically even the PID, although in practice this is probably far too volatile to be useful).
Details
Requires the following:
auth_type
field in the wire protocol.authentication
header when using this auth type.DomainSocketListener
so that it can obtain peer credentials from the system. This might mean using a different UDS library, because it looks like the standard RustUnixListener
does not provide access to the peer credential.Definition of Done
It is possible to create a demo deployment where at least two distinct client applications, running as different users, can both create and use a Parsec key with the same name. It is also possible to show that a request will be rejected if the client attempts to spoof its UID in the auth header of the request.
The text was updated successfully, but these errors were encountered: