@@ -208,6 +208,39 @@ These optional flags are read from the process environment (for example via `/et
|
||||
- `DAILY_AGG_GO`: set to `1` (default in `src/vctp.default`) to use the Go daily aggregation path.
|
||||
- `MONTHLY_AGG_GO`: set to `1` (default in `src/vctp.default`) to use the Go monthly aggregation path.
|
||||
|
||||
## Authentication and Authorization
|
||||
Authentication uses LDAP bind + JWT bearer tokens.
|
||||
|
||||
Login flow:
|
||||
1. Call `POST /api/auth/login` with JSON body:
|
||||
```json
|
||||
{ "username": "your-user", "password": "your-password" }
|
||||
```
|
||||
2. On success, use returned `access_token` as:
|
||||
```http
|
||||
Authorization: Bearer <access_token>
|
||||
```
|
||||
|
||||
Auth modes:
|
||||
- `settings.auth_mode: disabled`: middleware bypassed.
|
||||
- `settings.auth_mode: optional`: protected endpoints accept missing token, but validate any provided token.
|
||||
- `settings.auth_mode: required`: protected endpoints require a valid bearer token.
|
||||
|
||||
Role policy:
|
||||
- `viewer`: read/report APIs (for example `/api/report/*`, `/api/diagnostics/daily-creation`).
|
||||
- `admin`: mutating/admin APIs (for example `/api/snapshots/*` mutating endpoints, `/api/event/*`, `/api/import/vm`, `/api/encrypt`, `/api/vcenters/cache/rebuild`).
|
||||
- `admin` implies `viewer` access.
|
||||
|
||||
Public endpoints:
|
||||
- UI pages (`/`, `/vcenters`, `/snapshots/*`, `/vm/trace`)
|
||||
- Swagger UI/docs (`/swagger`, `/swagger/`, `/swagger.json`)
|
||||
- Metrics (`/metrics`)
|
||||
- Login (`/api/auth/login`)
|
||||
|
||||
Debug endpoints:
|
||||
- `/debug/pprof/*` handlers are only registered when `settings.enable_pprof: true`.
|
||||
- When enabled, they require an authenticated `admin` token.
|
||||
|
||||
## Credential Encryption Lifecycle
|
||||
At startup, vCTP resolves `settings.vcenter_password` using this order:
|
||||
|
||||
@@ -256,6 +289,24 @@ HTTP/TLS:
|
||||
- `settings.tls_cert_filename`: PEM certificate path (TLS mode)
|
||||
- `settings.tls_key_filename`: PEM private key path (TLS mode)
|
||||
|
||||
Authentication:
|
||||
- `settings.auth_enabled`: enables LDAP/JWT auth components.
|
||||
- `settings.auth_mode`: `disabled`, `optional`, or `required`.
|
||||
- `settings.auth_jwt_signing_key`: base64 signing key for JWTs.
|
||||
- RPM postinstall auto-generates and writes this key to `/etc/dtms/vctp.yml` if it is missing/empty.
|
||||
- `settings.auth_token_lifespan_minutes`: JWT access token lifetime.
|
||||
- `settings.auth_jwt_issuer`: expected JWT issuer.
|
||||
- `settings.auth_jwt_audience`: expected JWT audience.
|
||||
- `settings.auth_clock_skew_seconds`: allowed clock skew for token validation.
|
||||
- `settings.auth_group_role_mappings`: map of LDAP group DN -> role (`viewer` or `admin`).
|
||||
- `settings.ldap_groups`: optional allowlist of LDAP group DNs required for login.
|
||||
- `settings.ldap_bind_address`: LDAP/LDAPS URL used for authentication.
|
||||
- `settings.ldap_base_dn`: LDAP base DN for user/group lookups.
|
||||
- `settings.ldap_trust_cert_file`: optional CA cert file for LDAP TLS.
|
||||
- `settings.ldap_disable_validation`: disables LDAP TLS cert validation.
|
||||
- `settings.ldap_insecure`: insecure LDAP TLS mode.
|
||||
- `settings.enable_pprof`: enables `/debug/pprof/*` routes (still admin-gated).
|
||||
|
||||
vCenter:
|
||||
- `settings.encryption_key`: optional explicit key source for credential encryption/decryption.
|
||||
If unset, vCTP derives a host key from hardware/host identity.
|
||||
|
||||
Reference in New Issue
Block a user