-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
0a86292
commit ef294d9
Showing
3 changed files
with
66 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
Authentication and Authorization | ||
======== | ||
|
||
## Overview | ||
Maestro supports multiple ways to authenticate and authorize users. | ||
|
||
Maestro supports Basic Auth, OAuth and also has support for delegating authentication to [Will.IAM][william] | ||
|
||
### Basic Auth | ||
|
||
To enable Basic Auth support on maestro you need to pass a non empty username and password in the config, eg: | ||
``` | ||
basicauth: | ||
username: myuser | ||
password: mypassword | ||
tryOauthIfUnset: true | ||
``` | ||
|
||
If `tryOathIfUnset` is true `maestro` will try to authenticate with `oauth` or [Will.IAM][william] when basic auth is missing. | ||
|
||
### Oauth | ||
|
||
Example config with `oauth` enabled: | ||
``` | ||
oauth: | ||
enabled: true | ||
acceptedDomains: "mydomain.com" // comma seperated list of accepted domains | ||
``` | ||
|
||
Oauth is enabled by default, you also need to set the following environment variables to be able use oauth with google: | ||
* `MAESTRO_GOOGLE_CLIENT_ID` | ||
* `MAESTRO_GOOGLE_CLIENT_SECRET` | ||
|
||
When using `Oauth` authorization is configured on a maestro level by setting a list of emails in the path `admin.users` in the config. | ||
And on scheduler lever by passing a list of emails in `authorizedUsers` key of scheduler's yaml. | ||
|
||
### William | ||
|
||
Example config with support for [Will.IAM][william] enabled: | ||
``` | ||
william: | ||
enabled: true | ||
url: mywilliamserver.mydomain.com:8080 | ||
iamName: maestro // service name registered on william | ||
region: us // region for maestro | ||
``` | ||
|
||
`maestro` will use the following permission with [Will.IAM][william]: | ||
* `ListSchedulers::{region}::{game}` | ||
* `CreateScheduler::{region}` | ||
* `GetScheduler::{region}::{game}::{scheduler}` | ||
* `UpdateScheduler::{region}::{game}::{scheduler}` | ||
* `ScaleScheduler::{region}::{game}::{scheduler}` | ||
* `DeleteScheduler::{region}::{game}::{scheduler}` | ||
|
||
When [Will.IAM][william] is enabled `maestro` will use the Bearer token to check for permissions on the configured url. | ||
If [Will.IAM][william] and `oauth` are enabled then only [Will.IAM][william] will work. | ||
|
||
[william]: https://github.com/topfreegames/will.iam |