3.7 User Identities for Accessing Control Interface

Privileges for using and performing various commands over the control interface can be distributed among several users. For example, it is possible to grant some users the rights to only view the component listing, or even to further limit their rights to only see the components they are authorized to know about. Another user may be able to stop or restart components and so on. This privilege separation requires pies to have a notion of user and be able to authenticate it.

Identity provider is an abstract mechanism that pies uses to obtain information about the user trying to authenticate himself for accessing a particular control function. As of version 1.8, this mechanism is considered experimental. That means, that although being fully functional, it can change considerably in future releases.

Identity provider supports two operations: authenticating a user, and checking if he is a member of particular group. It is defined in the configuration file using the identity provider statement.

Config: identity-provider name

Defines an identity provider. It is a block statement:

identity-provider name {
  type type;
  …
}

The provider name is used in diagnostic messages.

The only required substatement is type, which defines the type of the provider. Rest of statements (represented by … above) depends on the type.

Pies version 1.8 supports identity providers of two types: ‘system’ and ‘pam’.

The ‘system’ identity provider uses system user database for authentication and system group database for checking group membership. It is declared using the following statement:

identity-provider name {
    type system;
}

Obviously, to use the system identity provider for authentication, pies must be run as root.

The ‘pam’ identity provider uses the Pluggable Authentication Modules (PAM) for authentication, and system group database for checking group membership.

identity-provider name {
    type pam;
    service srv;
}

The ‘service’ statement defines the name of PAM service to use for authentication. If absent, the name ‘pies’ is used.

Any number of different identity providers can be declared in the configuration file. When authenticating the user, they will be tried in turn until the one is found where authentication succeeds. Subsequent group membership checks will then use this identity provider.