✨ 💥 Add Authentication and ACLs #20

linkdd · 2024-08-24T14:19:55Z

Decision Record

Access Control is an important part of any software dealing with potentially secret data (in this case, system logs).

Design

FlowG will use a Role Based Access Control design (RBAC for short). Each role will assign permissions to a specific scope. The following scopes has been identified:

Scope Name	Description
`read_pipelines`	Can see a pipeline's flow, but cannot update it nor delete it
`write_pipelines`	Can create, read, update or delete a pipeline flow
`read_transformers`	Can see the source code of a transformer, but cannot update it nor delete it
`write_transformers`	Can create, read, update, or delete a transformer script
`read_streams`	Can query a stream
`write_streams`	Can purge a stream
`read_acls`	Can list users and roles, but cannot update them nor delete them
`write_acls`	Can create, read, update or delete roles and users
`send_logs`	Can send logs to a pipeline for processing (useful for log sources)

Each user is associated to one or more roles. A user has a required password, and can have zero or more personal access tokens.

The user password will be used to login to the Web UI, while the personal access tokens will be used to access the API.

Implementation

Passwords and Personal Access Tokens will be hashed using Argon2.

The authentication system will use a separate BadgerDB database to store users and roles.

Changes

License Agreement

I guarantee that I have the rights on the code submitted in this PR
I accept that this contribution will be released under the terms of the MIT License

…-dir` and `-config` CLI flag to `-config-dir`

…n for now)

… be done in a later feature

…mself

…ances

linkdd added this to the 1.0.0 milestone Aug 24, 2024

linkdd self-assigned this Aug 24, 2024

linkdd linked an issue Aug 24, 2024 that may be closed by this pull request

✨ Authentication and ACLs #13

Closed

linkdd force-pushed the auth-acl branch from 6c64618 to fbd4c29 Compare August 25, 2024 03:03

linkdd added 26 commits August 26, 2024 12:33

⬆️ templ v0.2.771

ec6e1ab

🚚 rename storage package into logstorage, -db CLI flag to `-log…

5da2d9c

…-dir` and `-config` CLI flag to `-config-dir`

🔥 remove CLI flags set by dependencies

1affe57

📌 🐳 pin alpine to 3.20 and task to 3.38.0

7eaaee0

➕ add cobra

03bf013

♻️ use cobra for CLI

6586f8f

🚚 move badger specific logger interface to logging package

d9a1462

🏷️ add auth related types

79968e4

🛂 add builtin auth scopes

a8f288b

🚧 add beginning of auth database (supports only role creation/deletio…

a9427f7

…n for now)

✨ mark --log-dir and --config-dir as dirnames for bash completion

6c694d3

🔊 log potential error when closing log database

c6d8acd

✨ add admin createrole command

52b41c3

♻️ split badger logs by lines

910893a

✨ add all CRUD operations related to roles

7ed0011

✨ add all CLI commands related to role management

09f77b3

➕ add crypto package

f473eed

✨ add password hashing package

05b71ed

✅ add test suite for password hashing package

5e4b77a

🐳 run test suite in Docker image

fad782d

🛂 add CRUD operations for users and permission verification

a6bbb83

🛂 add Personal Access Tokens

2c6e402

➕ move chi to direct dependencies

fc1f9d3

🛂 add Bearer authentication to API using Personal Access Tokens

6a61673

🛂 verify user permissions for each API route

b106848

✨ add ability to discard logs

0c9b9b0

linkdd added 13 commits August 27, 2024 12:39

🐛 fix blinking bug on floweditor

acf398b

🔥 remove unused variable

042a735

♻️ split create_users scope into read_acls and write_acls

bb509e0

📝 update auth documentation with new scopes

21bbf1d

💄 increase padding in flowg admin role list command

65864df

🚧 add beginning of admin view

01af5c2

👕 remove semicolons in JS code

06922f6

♻️ 💄 use html entities instead of UTF-8 chars

f195a27

✨ add role creation/deletion in admin view

c4f87d4

💄 add user creation/deletion in admin view

16bfd0a

💄 add icons to admin forms

6a229cb

🐛 do not swap html content when deletion failed in admin controller

a8ce30d

💄 🐛 add missing notifications

6287ece

linkdd changed the title ~~✨ Add Authentication and ACLs~~ ✨ 💥 Add Authentication and ACLs Aug 28, 2024

linkdd added 12 commits August 28, 2024 17:02

✨ add API operations to manage roles, users and tokens

7242038

📝 remove mention of token expiration date in documentation as it will…

259f0ff

… be done in a later feature

🔒 allow only the current user to create personal access tokens for hi…

928a047

…mself

💄 🚧 add account view with form to change password

4bfcf53

✨ add methods to list and delete personal access tokens

594f94c

✨ add API operations to list and delete personal access tokens

b84e2c5

💄 add UI to manage Personal Access Tokens

3e33f17

📝 fix README guides

6dafbf3

✅ update benchmark

00c2b87

⚡ reduce complexity of hashing algorithm to avoid huge hit on perform…

7333bbd

…ances

📝 update screenshots

e3b297a

🔖 v0.2.0

889d9c4

linkdd marked this pull request as ready for review August 28, 2024 19:02

linkdd merged commit 04d341f into main Aug 28, 2024
2 checks passed

linkdd deleted the auth-acl branch August 28, 2024 19:09

linkdd mentioned this pull request Aug 29, 2024

♻️ Cleanup code #32

Merged

8 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

✨ 💥 Add Authentication and ACLs #20

✨ 💥 Add Authentication and ACLs #20

linkdd commented Aug 24, 2024 •

edited

Loading

✨ 💥 Add Authentication and ACLs #20

✨ 💥 Add Authentication and ACLs #20

Conversation

linkdd commented Aug 24, 2024 • edited Loading

Decision Record

Design

Implementation

Changes

License Agreement

linkdd commented Aug 24, 2024 •

edited

Loading