Authentication and Access Control
Access to Tawon Controller API is authenticated and supports role-base access control.
Roles
There are 4 roles. Each role inherits priviledges of lower roles:
-
Admin: has full priviledges, including user management.
-
Writer: can create directives.
-
Reader: can read existing directives.
-
TopologyRead: can read topology.
Bootstrapping
The first user to login into the controller will create the first Admin user. This first user bootstrapping happens only once on controller initialization.
To log in, see the tawon login documentation.
You can disable this behavior by setting the --auth.init=false on the
Controller.
Configuration users
Alternatively, you can bootstrap with users passed as configuration to the
controller. By default, this initilization method is not enabled. You must pass the
--auth.useusers flag to enable it. In your tawon.yaml, configure users like so:
auth:
userusers: true
users:
- username: "alice"
password: "password123"
name: "Alice"
role: "Admin"
- username: "bob"
password: "passwordabc"
name: "Bob"
role: "Reader"Credentials
User passwords and Session tokens are hashed (Argon2i) and salted in the database.
The login method is rate limited per username.
When a new user is created, their password is not set until their first login.
By default they have 24h to login and set their password (see
tawon login documentation). This
duration can be changed on the Controller with the --auth.reset flag.
(e.g. --auth.reset 1h or --auth.reset 10m)
Admin users can also password reset an existing account (or reset the timer on a
new account). This password reset uses the same --auth.reset configuration.