Output in HTTPs with basic authentication

since nAttrMon version 20210318

If you need to deploy some very basic user authentication for all (or almost all) HTTP communication each of the nOutput_HTTP_* plugs support basic authentication based on a list of static users or by executing a custom function (e.g. authenticating through a LDAP/Active Directory for example).

The best example is located in outputs.disabled/yaml/00.httpAll.yaml:

common: &COMMON
  #keyStore   : /some/folder/ssl.jks
  #keyPassword: 797AD06F0FB6E1E6F4B17EB182670494D3EA259B24245847062CCA0C5D023F26
  authType : basic
  authLocal:
    nattrmon: 
      p: nattrmon
      m: r
    change:
      p: me 
      m: rw
  #authCustom: |
  #   // Custom has priority over local. Comment the entry you won't use.
  #   //
  #   // u - user
  #   // p - password
  #   // s - server object
  #   // r - request object (e.g. uri, method, header["remote-addr"], header["user-agent"], ...)
  #         
  #   // Forced user & password
  #   if (u == "nattrmon" && p == "nattrmon") return true;
  #
  #   // Users from a ldap or active directory
  #   try {
  #     new ow.server.ldap("ldap://my.auth.ldap:389", u + "@my.domain", p);
  #     return true;
  #   } catch(e) {
  #     tlogErr("AUDIT |  authentication refused ().", { user: u, message: e.message });
  #   }
  #
  #   return false;

output:
  # -----------------------------
  - name         : Output HealthZ
    description  : Exposes a /healthz, /livez and /readyz endpoints
    execFrom     : nOutput_HTTP_HealthZ
    execArgs     :
    #  <<            : *COMMON
    #  includeHealthZ: true
    #  includeLiveZ  : true
    #  includeReadyZ : true

  # --------------------------
  - name         : Output JSON
    description  : Outputs attributes, warnings, current and previous values in a JSON representation through HTTP.
    execFrom     : nOutput_HTTP_JSON
    execArgs     : *COMMON

  # --------------------------
  - name         : Output HTTP
    description  : >
      Provides a very basic web site for read-only access to the inputs and warnings generated. It uses the nOutput_HTTPJSON to
      retrieve the necessary data when needed.
    execFrom     : nOutput_HTTP
    execArgs     : 
      <<   : *COMMON
      title: Some title

  # ------------------------------
  - name         : Output Channels
    description  : |
      Provides, on the same nOutput_HTTPJSON or nOutput_HTTP port or other, access to the nAttrMon specific OpenAF channels like: /chs/ops,
      /chs/cvals, /chs/pvals and /chs/attr.
    execFrom     : nOutput_Channels
    execArgs     : *COMMON

  # -----------------------------
  - name         : Output Metrics
    description  : Outputs attributes, warnings, current and previous values in a JSON representation through HTTP.
    execFrom     : nOutput_HTTP_Metrics
    execArgs     : *COMMON

Notes about this example:

  • the authentication details are shared using YAML anchors between all output plugs
  • the HealthZ output plug doesn’t include the authentication details on propose since it doesn’t contain more information other than operational healthz/livez/readyz.
  • this examples is a multiple plugs in one file, so if you have other output plugs for the same outputs you need to remove them (and include any execArgs, if any, in this main example).

The following table provides a description of each execArgs common to all output plugs:

execArg Mandatory? Description
authType Yes Currently only “basic” is supported and it’s based on the browser’s basic authentication mechanism.
authLocal No This is a map containing static user credentials and permissions.
authLocal.user Yes Each map entry will be a static defined user.
authLocal.user.p Yes For each static defined user this map entry will contain the password (encrypted passwords are supported)
authLocal.user.m No This are the modification permissions used currently for the nOutput_Channels plug (“r” for read-only (default if ommited) and “rw” for read-write).
authCustom No Let’s you use an OpenAF javascript function to customize authentication and authorization. The function will receive 4 parameters: u - the username provided, p - the password provided, s - a HTTPServer OpenAF object and r - a request object. The function can set r.channelPermission to customize authorization (“r” or “rw”) for the nOutput_Channels plug. If the function returns true the user will be authenticated otherwise access will be denied. Please refer to the example (that performs a simple LDAP authentication) for more details.

Security considerations

In terms of security since the user credentials will be sent by the browser on every request you should use it only with HTTPs enabled (enabling keyStore and the keyPassword execArgs). The code can have security issues and just provides a very basic user validation mechanism. If you need strong security you should remove the corresponding output plugs or block access to non-secure networks and only permit access with a secure reverse proxy. Keep also in mind that all HTTP based outputs also support the host execArgs to bind the HTTP/HTTPs listening port to a specific network interface.

Audit

As with the usual HTTP output audit logs when an user is authenticated the audit logs will also include the user name with every request. Wrong authentications attemps will also be logged except for authCustom where your custom function should perform the authentication audit logging as exemplified.

See more details about HTTPs outputs in Output in HTTPs.