Client auth Interface

Pravega client can access Pravega APIs through grpc. Some of the admin APIs can be accessed via REST API. The Authorization/Authentication API and plugin works for both of these interfaces.

grpc Client auth Interface

If multiple plugin exists, a client selects its auth handler by setting a grpc header with the name method. This is performed by implementing Credentials interface by passing through the ClientConfig object to the Pravega client. The parameters for authentication are passed through custom grpc headers. These are extracted through grpc interceptors and passed on to the specific auth plugin. This plugin is identified by the method header.

Dynamic extraction of the auth parameters on the client

Dynamic extraction of parameters is also possible using the system properties or environment variables. The order of preference is listed below:

1. User explicitly provides a credential object through the API. This results in overriding the other settings.
2. System properties: System properties are defined in the format: pravega.client.auth.*
3. Environment variables: Environment variables are defined in the format: pravega_client_auth_*
4. In case of option 2 and 3, the caller decides on whether, the class needs to be loaded dynamically by setting the property pravega.client.auth.loadDynamic to true.

REST Client auth Interface

The REST client in order to access the Pravega API uses the similar approach as mentioned in the above sections. The custom auth parameters are sent as the part of the Authorization HTTP header.

The REST server implementation on Pravega Controller extracts these headers and passes it to the valid auth plugin implementation. Then it resumes, if the authentication and authorization matches the intended access pattern.