Authentication and Authorization¶
TimeSync allows for various forms of authentication determined by the implementation.
Contents
The general scheme of an authentication module looks like this:
{
"auth": {
"type": // type
// ...
},
"object": {
"name": "Ganeti Web Manager",
// ...
}
}
There are two top-level blocks to an authenticated POST request:
auth, containing any authentication information necessaryobject, containing the data of the POST request (see the API docs)
An auth block typically looks like the above example, with a type field
specifying what kind of authentication the client is connecting with, and other
fields as necessary for that kind of connection.
These other fields might be things like password, token, key, etc.
Token-based authentication¶
Token-based is the primary and default authentication method for TimeSync.
TimeSync provides an endpoint at /login, which should be sent a POST
request, with the body fitting one of the other available authentication
schemes (e.g. Password, LDAP). The endpoint returns a JWT token string as its response body. This response body is
used to access the other endpoints:
POST endpoints:
{
"auth": {
"type": "token",
"token": // ...
},
// ...
}
GET and DELETE endpoints: Use the query key token, as in GET /times?token=:token
or DELETE /activities/example?token=:token
For example, the workflow may occur as follows:
POST /login
{
"auth": {
"type": "password",
"username": "example-user",
"password": "pass"
}
}
Response:
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0aW1lc3luYyIsInN1YiI6ImV4Y
W1wbGUtdXNlciIsImV4cCI6MTQ0NjQ5NzQyNzEzMywiaWF0IjoxNDQ2NDk1NTc5OTY3fQ.k8ij2cXBRs5tUe
_cq2RDePCYMpFjVkKqnpU11Q1XEnk"
}
POST /projects
{
"auth": {
"type": "token",
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0aW1lc3luYyIsInN1YiI6ImV
4YW1wbGUtdXNlciIsImV4cCI6MTQ0NjQ5NzQyNzEzMywiaWF0IjoxNDQ2NDk1NTc5OTY3fQ.k8ij2c
XBRs5tUe_cq2RDePCYMpFjVkKqnpU11Q1XEnk"
},
"object": {
"name": "Example Project",
"owner": "example-user",
"uri": "http://example.com/",
"slugs": ["example", "example-project"]
}
}
Response:
{
"name": "Example Project",
"slugs": ["example", "example-project"],
"uri": "http://example.com/",
"owner": "example-user",
"uuid": "9ac95604-28dd-44e0-9ba5-ff9c5e2b2212",
"revision": 1,
"created_at": "2015-11-02",
"updated_at": null,
"deleted_at": null
}
To later get this object back:
GET /projects/example?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJ0aW1lc3luYyI
sInN1YiI6ImV4YW1wbGUtdXNlciIsImV4cCI6MTQ0NjQ5NzQyNzEzMywiaWF0IjoxNDQ2NDk1NTc5OTY3fQ.k8ij2c
XBRs5tUe_cq2RDePCYMpFjVkKqnpU11Q1XEnk
Response:
{
"name": "Example Project",
"slugs": ["example", "example-project"],
"uri": "http://example.com/",
"owner": "example-user",
"uuid": "9ac95604-28dd-44e0-9ba5-ff9c5e2b2212",
"revision": 1,
"created_at": "2015-11-02",
"updated_at": null,
"deleted_at": null
}
API tokens have a life of 30 minutes, and must be used on the same TimeSync instance as they are created.
Password authentication¶
When used with password-based authentication, TimeSync requires a username field and a password field:
{
"auth": {
"type": "password",
"username": "tschuy",
"password": "password"
}
}
This username/password combination is compared to values stored in the local database for authentication.
LDAP Authentication¶
This form is nearly identical to password-based authentication, using a username and password:
{
"auth": {
"type": "ldap",
"username": "tschuy",
"password": "password"
}
}
Instead of comparing the username/password combination to values in a local database, however, the combination is provided to a configured LDAP provider for authentication.