Skytable supports token-based authentication as an authentication scheme, with more on the way in future releases. In this document, we explore how you can set up authentication on your Skytable instance.
Token-based authentication is just like password-based authentication with the exception that the password is generated by the server, and is cryptographically strong. All login operations are resistant to brute-force search attacks. Read more here.
There are three kinds of users:
- Superuser: These users have access to everything
- Standard user: These users have access to all tables and keyspaces, but don't have access to the
actions exclusive to the superusers. For example, the following actions cannot be performed by standard users:
- Anonymous user: This is the default account type you're logged into when you connect to an instance
that has authn/authz enabled. This is a very limited account and only has access to the following:
Currently, there can only be one superuser, which is the
root account and any number of standard users.
Set an origin key using your preferred mode of configuration. The origin key is a 40-character long ASCII string. The simplest way to generate a secure origin key is by using OpenSSL:
openssl rand -hex 20
Now launch a
skyshinstance and connect to your instance
First claim the root account using your origin key:
auth claim <origin-key>
The server will respond with the root token. Keep this safe; the root user can only be claimed once!
Now create other users. These users are standard users.
auth adduser <username>
The server will again respond with a token for the given user
You can now login using the token:
auth login <username> <token>
See the complete documentation for the
auth action here
The password produced has 54 characters, is cryptographically strong and hence is extremely secure. The password has the following alphabet (character set):
Every login operation initiates an expensive verification operation that is based on bcrypt; this makes logins resistant to brute-force attacks. Also, just like any password storage system, plaintext passwords are never stored by the server.
Yeah, no matter how well we safeguard our passwords, we tend to lose them. So, don't worry if you did lose any of your tokens. Here are two simple ways to restore your tokens:
- You have your root password: First log into your root account and then run:for the users who have lost their passwords
auth restore <username>
- You have lost your root password: That's okay! See which situation matches yours:
- You still have your origin key: Simply run:You can also run:
auth restore <origin key> rootto restore other tokens using the origin key although it's easier to just log into the root account and then restore other accounts
auth restore <origin key> <username>
- You have lost your origin key: That's fine too, as long you have shell access to the node on
which your instance is running. Simply create a new origin key and update your configuration. Then follow the above step (2(i)) and you're good to go.
This however means that you'll have to shut down your instance
- You still have your origin key: Simply run: