Authentication and authorization
Skytable supports token-based authentication as an authentication scheme, with more on the way in future releases. In this document, we explore how you can set up authentication on your Skytable instance.
Token-based authentication
Token-based authentication is just like password-based authentication with the exception that the password is generated by the server, and is cryptographically strong. All login operations are resistant to brute-force search attacks. Read more here.
Permission model
There are three kinds of users:
- Superuser: These users have access to everything
- Standard user: These users have access to all tables and keyspaces, but don't have access to the
actions exclusive to the superusers. For example, the following actions cannot be performed by standard users:
auth deluser
auth adduser
- Anonymous user: This is the default account type you're logged into when you connect to an instance
that has authn/authz enabled. This is a very limited account and only has access to the following:
auth claim
auth login
Currently, there can only be one superuser, which is the root
account and any number of standard users.
Enabling authn
-
Set an origin key using your preferred mode of configuration. The origin key is a 40-character long ASCII string. The simplest way to generate a secure origin key is by using OpenSSL:
openssl rand -hex 20
-
Now launch a
skysh
instance and connect to your instance -
First claim the root account using your origin key:
auth claim <origin-key>
The server will respond with the root token. Keep this safe; the root user can only be claimed once!
-
Now create other users. These users are standard users.
auth adduser <username>
The server will again respond with a token for the given user
-
You can now login using the token:
auth login <username> <token>
See the complete documentation for the auth
action here
Security
The password produced has 54 characters, is cryptographically strong and hence is extremely secure. The password has the following alphabet (character set):
./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
Every login operation initiates an expensive verification operation that is based on bcrypt; this makes logins resistant to brute-force attacks. Also, just like any password storage system, plaintext passwords are never stored by the server.
Restoring tokens
Yeah, no matter how well we safeguard our passwords, we tend to lose them. So, don't worry if you did lose any of your tokens. Here are two simple ways to restore your tokens:
- You have your root password: First log into your root account and then run:
for the users who have lost their passwords
auth restore <username>
- You have lost your root password: That's okay! See which situation matches yours:
- You still have your origin key: Simply run:
You can also run:
auth restore <origin key> root
to restore other tokens using the origin key although it's easier to just log into the root account and then restore other accountsauth restore <origin key> <username>
- You have lost your origin key: That's fine too, as long you have shell access to the node on
which your instance is running. Simply create a new origin key and update your configuration. Then follow the above step (2(i)) and you're good to go.
note
This however means that you'll have to shut down your instance
- You still have your origin key: Simply run: