identityd

command
v0.0.0-...-ff5f600 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 30, 2016 License: BSD-3-Clause Imports: 18 Imported by: 0

Documentation

Overview

Command identityd runs a daemon HTTP server that uses OAuth to create security.Blessings objects.

Starts an HTTP server that brokers blessings after authenticating through OAuth.

To generate TLS certificates so the HTTP server can use SSL:

go run $(go list -f {{.Dir}} "crypto/tls")/generate_cert.go --host <IP address>

To use Google as an OAuth provider the -google-config-* flags must be set to point to the a JSON file obtained after registering the application with the Google Developer Console at https://cloud.google.com/console

More details on Google OAuth at:

https://developers.google.com/accounts/docs/OAuth2Login

More details on the design of identityd at:

https://vanadium.github.io/designdocs/identity-service.html

Usage:

identityd [flags]

The identityd flags are:

-assets-prefix=
  Host serving the web assets for the identity server.
-discharger-location=
  The name of the discharger service. May be rooted. If empty, the published
  name is used.
-external-http-addr=
  External address on which the HTTP server listens on.  If none is provided
  the server will only listen on -http-addr.
-google-config-web=
  Path to JSON-encoded OAuth client configuration for the web application that
  renders the audit log for blessings provided by this provider.
-http-addr=localhost:8125
  Address on which the HTTP server listens on.
-mount-prefix=identity
  Mount name prefix to use.  May be rooted.
-registered-apps=
  Path to the config file for registered oauth clients.
-remote-signer-blessing-dir=
  Path to the blessings to use with the remote signer. Use the empty string to
  disable the remote signer.
-remote-signer-o-blessing-dir=
  Path to the blessings to use with the remote signer for oauth. Use the empty
  string to disable the remote signer.
-sql-config=
  Path to configuration file for MySQL database connection. Database is used to
  persist blessings for auditing and revocation. File must contain a JSON
  object of the following form:
     {
      "dataSourceName": "[username[:password]@][protocol[(address)]]/dbname", (the connection string required by go-sql-driver; database name must be specified, query parameters are not supported)
      "tlsDisable": "false|true", (defaults to false; if set to true, uses an unencrypted connection; otherwise, the following fields are mandatory)
      "tlsServerName": "serverName", (the domain name of the SQL server for TLS)
      "rootCertPath": "[/]path/server-ca.pem", (the root certificate of the SQL server for TLS)
      "clientCertPath": "[/]path/client-cert.pem", (the client certificate for TLS)
      "clientKeyPath": "[/]path/client-key.pem" (the client private key for TLS)
     }
  Paths must be either absolute or relative to the configuration file
  directory.
-tls-config=
  Comma-separated list of TLS certificate and private key files, in that order.
  This must be provided.

The global flags are:

-alsologtostderr=true
  log to standard error as well as files
-log_backtrace_at=:0
  when logging hits line file:N, emit a stack trace
-log_dir=
  if non-empty, write log files to this directory
-logtostderr=false
  log to standard error instead of files
-max_stack_buf_size=4292608
  max size in bytes of the buffer to use for logging stack traces
-metadata=<just specify -metadata to activate>
  Displays metadata for the program and exits.
-stderrthreshold=2
  logs at or above this threshold go to stderr
-time=false
  Dump timing information to stderr before exiting the program.
-v=0
  log level for V logs
-v23.credentials=
  directory to use for storing security credentials
-v23.i18n-catalogue=
  18n catalogue files to load, comma separated
-v23.namespace.root=[/(dev.v.io:role:vprod:service:mounttabled)@ns.dev.v.io:8101]
  local namespace root; can be repeated to provided multiple roots
-v23.permissions.file=map[]
  specify a perms file as <name>:<permsfile>
-v23.permissions.literal=
  explicitly specify the runtime perms as a JSON-encoded access.Permissions.
  Overrides all --v23.permissions.file flags.
-v23.proxy=
  object name of proxy service to use to export services across network
  boundaries
-v23.tcp.address=
  address to listen on
-v23.tcp.protocol=wsh
  protocol to listen with
-v23.vtrace.cache-size=1024
  The number of vtrace traces to store in memory.
-v23.vtrace.collect-regexp=
  Spans and annotations that match this regular expression will trigger trace
  collection.
-v23.vtrace.dump-on-shutdown=true
  If true, dump all stored traces on runtime shutdown.
-v23.vtrace.sample-rate=0
  Rate (from 0.0 to 1.0) to sample vtrace traces.
-v23.vtrace.v=0
  The verbosity level of the log messages to be captured in traces
-vmodule=
  comma-separated list of globpattern=N settings for filename-filtered logging
  (without the .go suffix).  E.g. foo/bar/baz.go is matched by patterns baz or
  *az or b* but not by bar/baz or baz.go or az or b.*
-vpath=
  comma-separated list of regexppattern=N settings for file pathname-filtered
  logging (without the .go suffix).  E.g. foo/bar/baz.go is matched by patterns
  foo/bar/baz or fo.*az or oo/ba or b.z but not by foo/bar/baz.go or fo*az

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL