Authentication

[alftester]

Hi. I am looking at the requirements for permission levels in our environment.
"The SDK will support three permission levels for the physical Mesh object model – no access, read-only and read and write access. "

I have currently not edited any fields in the _authentication.py.
So far it looks like I have permission to do all operations, read/write.

Is there a way to check if Authentication and authorization are enabled on the Mesh server?
FYI @gurosatherHeco

[tnoczyns-volue]

Hi,

Please check "Grpc" section in Mesh configuration file: mesh.json.
Authorization requires enabled Kerberos and TLS certificates.

  "Grpc": {
    "Kerberos": true,
    "Address": "[::]:50051",
    "Authorization": {
      "GroupsFile": "...",
    },
    "Tls": {
      "CertificatePath": "...",
      "CertificateKeyPath": "..."
    }
  },

GroupsFile should be a path to a JSON file mapping active
directory group names to a list of authorization scopes. For example:

{
  "domain.com\\Mesh Users": ["(time_series, read)", "(model, read)"],
  "domain.com\\Mesh Admins": [
    "(time_series, create)",
    "(time_series, read)",
    "(time_series, update)",
    "(time_series, delete)",
    "(model, create)",
    "(model, read)",
    "(model, update)",
    "(model, delete)"
  ]
}

Most likely currently you are running without Kerberos and TLS.
If Mesh server was configured to use TLS you won't be able to connect to it without TLS from the client side. So if you are able to run normal examples, like the simplest one get_version.py and you're getting correct response it means Mesh is running without TLS and Kerberos.

To get familiar with this functionality I'd suggest:

• Reading this: https://vigilant-eureka-e3845ca2.pages.github.io/authentication.html
• First enabling just TLS (this requires TLS certificates) in Mesh server.
• Making a client call to server using TLS.
• If above works correctly then enabling also Kerberos in Mesh server and setting authorization groups file.
• Checking authorization.py example.

Please note that creating TLS certificates and configuring Kerberos depends heavily on your environment, IT policies, etc. and would need involvement from IT operations.

[alftester]

Thank you for the detailed and rewarding answer. It was not enabled, and we'll have a look at that.
Have a good week :)