Giter Site home page Giter Site logo

no1zy / athenz-authorizer Goto Github PK

View Code? Open in Web Editor NEW

This project forked from yahoojapan/athenz-authorizer

0.0 1.0 0.0 231 KB

athenz policy management library for golang

Home Page: https://www.athenz.io

License: Apache License 2.0

Makefile 0.29% Go 99.71%

athenz-authorizer's Introduction

Athenz authorizer

License: Apache release CircleCI codecov Go Report Card GolangCI Codacy Badge GoDoc

What is Athenz authorizer

Athenz authorizer is a library to cache the policies of Athenz to authorizer authenication and authorization check of user request.

Overview

Usage

To initialize authorizer.

// Initialize authorizerd
daemon, err := authorizerd.New(
    authorizerd.WithAthenzURL("www.athenz.io"), // set athenz URL
    authorizerd.WithAthenzDomains("domain1", "domain2" ... "domain N"), // set athenz domains
    authorizerd.WithPubkeyRefreshDuration(time.Hour * 24), // set athenz public key refresh duration
    authorizerd.WithPolicyRefreshDuration(time.Hour), // set policy refresh duration
)
if err != nil {
   // cannot initialize authorizer daemon
}

// Start authorizer daemon
ctx := context.Background() // user can control authorizer daemon lifetime using this context
errs := daemon.Start(ctx)
go func() {
    err := <-errs
    // user should handle errors return from the daemon
}()

// Verify role token
if err := daemon.VerifyRoleToken(ctx, roleTok, act, res); err != nil {
    // token not authorizated
}

How it works

To do the authentication and authorization check, the user needs to specify which domain data to be cache. The authorizer will periodically refresh the policies and Athenz public key data to verify and decode the domain data. The verified domain data will cache into the memory, and use for authentication and authorization check.

The authorizer contains two sub-module, Athenz pubkey daemon (pubkeyd) and Athenz policy daemon (policyd).

Athenz pubkey daemon

Athenz pubkey daemon (pubkeyd) is responsible for periodically update the Athenz public key data from Athenz server to verify the policy data received from Athenz policy daemon and verify the role token.

Athenz policy daemon

Athenz policy daemon (policyd) is responsible for periodically update the policy data of specified Athenz domain from Athenz server. The received policy data will be verified using the public key got from pubkeyd, and cache into memory. Whenever user requesting for the access check, the verification check will be used instead of asking Athenz server everytime.

Configuratrion

The authorizer uses functional options pattern to initialize the instance. All the options are defined here.

Option name Description Default Value Required Example
AthenzURL The Athenz server URL "www.athenz.com/zts/v1" No
AthenzDomains Athenz domain name of Policy cache Yes "domName1", "domName2"
Transport The HTTP transport for getting policy data and Athenz public key data nil No
CacheExp The TTL of the success cache 1 Minute No
PubkeyRefreshDuration The refresh duration to update the Athenz public key data 24 Hours No
PubkeySysAuthDomain System authority domain name to retrieve Athenz public key data sys.auth No
PubkeyEtagExpTime ETag cache TTL of Athenz public key data 168 Hours (1 Week) No
PubkeyEtagFlushDur ETag cache purge duration 84 Hours No
PolicyRefreshDuration The refresh duration to update Athenz policy data 30 Minutes No
PolicyExpireMargin The expire margin to update the policy data. It forces update the policy data before the policy expiration margin. 3 Hours No
PolicyEtagExpTime ETag cache TTL of policy data 24 Hours No
PolicyEtagFlushDur Policy data cache purge duration 12 Hours No

License

Copyright (C)  2018 Yahoo Japan Corporation Athenz team.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

Contributor License Agreement

This project requires contributors to agree to a Contributor License Agreement (CLA).

Note that only for contributions to the garm repository on the GitHub, the contributors of them shall be deemed to have agreed to the CLA without individual written agreements.

Authors

athenz-authorizer's People

Contributors

kevindiu avatar windzcuhk avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.