Enable Basic Authentication
Basic Authentication is being replaced...
...by Unified Authentication, which uses the same user accounts and passwords set up in the API. Basic Authentication is incompatible with Unified Authentication, which was on by default starting with the 4.6 release.
For endpoint security, Hydrolix offers the ability to use Basic Authentication for endpoints. To enable Basic Authentication, add basic_auth
to the hydrolixcluster yaml
configuration file, listing the services that should use Basic Auth. The following endpoints can use Basic Auth:
Service | Description |
---|---|
stream-head | For HTTP based ingest on /ingest/events |
prometheus | For HTTP query of the /prometheus service |
version | For HTTP query on /version which displays the current deployed version |
validator | For HTTP query on /validator to test transform |
Config API
The configuration API uses its own authentication mechanism using
Bearer tokens
. For more information, see Login to Hydrolix.
For example, to use Basic Auth in the stream and version service endpoints, add the following configuration:
apiVersion: hydrolix.io/v1
kind: HydrolixCluster
metadata:
.............
spec:
.........
basic_auth: <----- ADD
- stream-head <----- ADD
- version <----- ADD
...........
By default, Hydrolix uses the username hydrolix
, generates a random password, and stores it as base64 data in the Kubernetes general
Secret. You can retrieve the generated password with the following command:
kubectl get secret general -o jsonpath='{.data.TRAEFIK_PASSWORD}' | base64 -d ; echo
To authenticate with the default hydrolix
username, use your generated password and domain in the following command:
curl -u hydrolix:<PASSWORD> https://$hostname/version
Modify the Curated Secret
The operator pod aggregates all the values from the curated
secret and merges them into the dynamically generated general
secret which is then fetched by the appropriate services.
Because of this, you should modify the curated
Kubernetes Secret if you want to update this password. You can do so by running:
kubectl edit secrets curated
Modify the variable TRAEFIK_PASSWORD
with your (base64-encoded) password.
Per-Service Credentials
Each service can use a different password with Basic Auth. To use per-service credentials, add entries to the curated
secret.
Per-service credentials use a different username for each endpoint with a distinct password. This follows the pattern hydrolix-$<SERVICE-NAME>
.
The following example sets a password for the Traefik Stream Head service endpoint:
---
apiVersion: v1
kind: Secret
metadata:
name: curated
namespace: $HDX_KUBERNETES_NAMESPACE
stringData:
TRAEFIK_STREAM_HEAD_PASSWORD: mousie-thou-art-no-thy-lane
type: Opaque
To authenticate with the Stream Head in this example, use the following:
- username:
hydrolix-stream-head
- password:
mousie-thou-art-no-thy-lane
Updated 24 days ago