Client auth Interface¶
Pravega client can access Pravega APIs through grpc
. Some of the admin APIs can be accessed via REST
API.
The Authorization/Authentication API and plugin works for both of these interfaces.
grpc Client auth Interface¶
If multiple plugin exists, a client selects its auth handler by setting a grpc
header with the name method
.
This is performed by implementing Credentials interface by passing through the ClientConfig object to the Pravega client.
The parameters for authentication are passed through custom grpc
headers. These are extracted through grpc
interceptors and passed on to the specific auth plugin.
This plugin is identified by the method
header.
Dynamic extraction of the auth parameters on the client¶
Dynamic extraction of parameters is also possible using the system properties or environment variables. The order of preference is listed below:
- User explicitly provides a credential object through the API. This results in overriding the other settings.
- System properties: System properties are defined in the format:
pravega.client.auth.*
- Environment variables: Environment variables are defined in the format:
pravega_client_auth_*
- In case of option 2 and 3, the caller decides on whether, the class needs to be loaded dynamically by setting the property
pravega.client.auth.loadDynamic
to true.
REST Client auth Interface¶
The REST
client in order to access the Pravega API uses the similar approach as mentioned in the above sections. The custom auth parameters are sent as the part of the Authorization
HTTP header.
The REST
server implementation on Pravega Controller extracts these headers and passes it to the valid auth plugin implementation. Then it resumes, if the authentication and authorization matches the intended access pattern.