DistKV and authentication¶
DistKV ships with a couple of rudimentary auth modules.
Currently there is no access control. That’s on the TODO list.
Included user auth methods¶
root¶
No access control. There is one possible user named “*”.
password¶
This is the standard “username plus password” method. Passwords are hashed and salted on the server; transmission of the cleartext password is protected with a separate shared secret (Diffie-Hellman).
This method currently is a bit slow, unless you use test mode (in which case it’s a bit insecure).
_test¶
This is a test method that’s mostly suitable for experiments. It intentionally exchanges redundant messages between client and server.
Users do not have a password.
API¶
The authorization code is modular. DistKV allows loading multiple auth methods, one of which is active. A method may use more than one record type (think “user” or “group”). Each of those records has a name.
The “user” type is only special because server and client use that to process login requests.
Multiple distinct DistKV domains or subdomains are possible, by adding an additional meta-root record anywhere in the entry hierarchy.
-
distkv.auth.
loader
(method: str, typ: str, *a, **k)¶
-
class
distkv.auth.
BaseServerAuth
(data: dict = {})¶ This class is used on the server to represent / verify a user.
The schema verifies whatever data the associated
ClientAuth
initially sends.-
classmethod
load
(data: distkv.model.Entry)¶ Create a ServerAuth object from existing stored data
-
await
auth
(cmd: distkv.server.StreamCommand, data)¶ Verify that @data authenticates this user.
-
info
()¶ Return whatever public data the user might want to have displayed.
This includes information to identify the user, but not anything that’d be suitable for verifying or even faking authorization.
-
await
check_read
(*path, client: distkv.server.ServerClient, data=None)¶ Check that this user may read the element at this location. This method may modify the data.
-
await
check_write
(*path, client: distkv.server.ServerClient, data=None)¶ Check that this user may write the element at this location. This method may modify the data.
-
classmethod
-
class
distkv.auth.
BaseClientAuth
(**data)¶ This class is used for creating a data record which authenticates a user.
The schema verifies the input to
build()
.-
classmethod
build
(user)¶ Create a user record from the data conforming to this schema.
-
ident
¶ Some user identifier. Required so that the server can actually find the record.
-
await
auth
(client: distkv.client.Client, chroot=())¶ Authorizes this record with the server.
-
classmethod
-
class
distkv.auth.
BaseServerAuthMaker
(chain=None, data=None, aux=None)¶ This class is used on the server to verify the transmitted user record and to store it in DistKV.
The schema verifies the data from the client.
-
classmethod
load
(data: distkv.model.Entry)¶ Read the user data from DistKV
-
classmethod await
recv
(cmd: distkv.server.StreamCommand, data: distkv.util.attrdict) → distkv.auth.BaseServerAuthMaker¶ Create a new user by reading the record from the client
-
ident
¶ The record to store this user under.
-
save
()¶ Return a record to represent this user, suitable for saving to DistKV
-
await
send
(cmd: distkv.server.StreamCommand)¶ Send a record to the client, possibly multi-step / secured / whatever
-
classmethod
-
class
distkv.auth.
BaseClientAuthMaker
(**data)¶ This class is used for creating a data record which describes a user record.
This is not the same as a
BaseClientAuth
; this class is used to represent stored user data on the server, while aBaseClientAuth
is used solely for authentication.The schema verifies the input to
build()
.-
classmethod
build
(user)¶ Create a user record from the data conforming to this schema.
-
ident
¶ The identifier for this user.
Required so that the server can actually find the record.
-
classmethod await
recv
(client: distkv.client.Client, ident: str, _kind='user')¶ Read this user from the server.
-
await
send
(client: distkv.client.Client, _kind='user')¶ Send this user to the server.
-
classmethod