DistKV and authentication¶
DistKV ships with a couple of rudimentary auth modules.
Currently there is no access control. That’s on the TODO list.
Included user auth methods¶
root¶
No access control. There is one possible user named “*”.
password¶
This is the standard “username plus password” method. Passwords are hashed and salted on the server; transmission of the cleartext password is protected with a separate shared secret (Diffie-Hellman).
This method currently is a bit slow, unless you use test mode (in which case it’s a bit insecure).
_test¶
This is a test method that’s mostly suitable for experiments. It intentionally exchanges redundant messages between client and server.
Users do not have a password.
API¶
The authorization code is modular. DistKV allows loading multiple auth methods, one of which is active. A method may use more than one record type (think “user” or “group”). Each of those records has a name.
The “user” type is only special because server and client use that to process login requests.
Multiple distinct DistKV domains or subdomains are possible, by adding an additional meta-root record anywhere in the entry hierarchy.
-
distkv.auth.loader(method: str, typ: str, *a, **k)¶
-
class
distkv.auth.BaseServerAuth(data: dict = {})¶ This class is used on the server to represent / verify a user.
The schema verifies whatever data the associated
ClientAuthinitially sends.-
classmethod
load(data: distkv.model.Entry)¶ Create a ServerAuth object from existing stored data
-
await
auth(cmd: distkv.server.StreamCommand, data)¶ Verify that @data authenticates this user.
-
info()¶ Return whatever public data the user might want to have displayed.
This includes information to identify the user, but not anything that’d be suitable for verifying or even faking authorization.
-
await
check_read(*path, client: distkv.server.ServerClient, data=None)¶ Check that this user may read the element at this location. This method may modify the data.
-
await
check_write(*path, client: distkv.server.ServerClient, data=None)¶ Check that this user may write the element at this location. This method may modify the data.
-
classmethod
-
class
distkv.auth.BaseClientAuth(**data)¶ This class is used for creating a data record which authenticates a user.
The schema verifies the input to
build().-
classmethod
build(user)¶ Create a user record from the data conforming to this schema.
-
ident¶ Some user identifier. Required so that the server can actually find the record.
-
await
auth(client: distkv.client.Client, chroot=())¶ Authorizes this record with the server.
-
classmethod
-
class
distkv.auth.BaseServerAuthMaker(chain=None, data=None, aux=None)¶ This class is used on the server to verify the transmitted user record and to store it in DistKV.
The schema verifies the data from the client.
-
classmethod
load(data: distkv.model.Entry)¶ Read the user data from DistKV
-
classmethod await
recv(cmd: distkv.server.StreamCommand, data: distkv.util.attrdict) → distkv.auth.BaseServerAuthMaker¶ Create a new user by reading the record from the client
-
ident¶ The record to store this user under.
-
save()¶ Return a record to represent this user, suitable for saving to DistKV
-
await
send(cmd: distkv.server.StreamCommand)¶ Send a record to the client, possibly multi-step / secured / whatever
-
classmethod
-
class
distkv.auth.BaseClientAuthMaker(**data)¶ This class is used for creating a data record which describes a user record.
This is not the same as a
BaseClientAuth; this class is used to represent stored user data on the server, while aBaseClientAuthis used solely for authentication.The schema verifies the input to
build().-
classmethod
build(user)¶ Create a user record from the data conforming to this schema.
-
ident¶ The identifier for this user.
Required so that the server can actually find the record.
-
classmethod await
recv(client: distkv.client.Client, ident: str, _kind='user')¶ Read this user from the server.
-
await
send(client: distkv.client.Client, _kind='user')¶ Send this user to the server.
-
classmethod